PCI DSS v4.0.1: Meeting the New Client-Side Security Requirements

The Payment Card Industry Security Standards Council (PCI SSC) has released PCI DSS version 4.0.1 in June 2024, introducing crucial updates to enhance payment security and ensure comprehensive protection of payment pages for e-commerce. These updates, which clarify existing requirements and provide explicit guidance based on feedback from PCI DSS 4.0 stakeholders, underscore the importance of continuous adaptation in an ever-evolving security landscape.

Breaking Down the Latest Client-Side Security Updates in PCI DSS

Sections 6.4.3 and 11.6.1 of PCI DSS v4.0.1 introduce fundamental changes in client-side security:

Section 6.4.3

Authorization of Scripts: It is clarified that in highly dynamic web application environments, the prior authorization of scripts may be impractical. Therefore, it is essential to have a tool that detects new scripts on payment pages and notifies security teams for analysis and authorization.

Script Inventory: Organizations are required to maintain a detailed inventory of all scripts with written technical or business justification, emphasizing the need for strict security controls over scripts running on payment pages.

Section 11.6.1

Change and Manipulation Detection Mechanisms: A personalized approach is prescribed to monitor HTTP headers and script content on payment pages, alerting unauthorized modifications that could indicate a security compromise or client-side attack.

Simplified Compliance with Akamai Client-Side Protection & Compliance

Akamai Client-Side Protection & Compliance aligns with the new PCI DSS v4.0.1 standards, offering tools that simplify compliance and enhance payment page security. This advanced solution analyzes script activity in real-time to detect malicious behaviors, protecting organizations and their customers against threats like web skimming and Magecart attacks.

Automatic Discovery and Cataloging: Automatically detects and catalogs all scripts on payment pages, alerting the security team about unauthorized scripts for review and authorization.

Script Need Specification: Enables security teams to specify the need for each script on payment pages, facilitating compliance with PCI DSS v4.0.1 requirements.

HTTP Header Monitoring: Monitors and alerts about changes in HTTP security headers like X-XSS-Protection and X-Frame-Options, allowing immediate review of changes.

Strengthen Your Organization’s Security with Akamai

The new additions and clarifications in PCI DSS v4.0.1 highlight prevalent security risks when integrating a payment provider iframe and reinforce the need for robust client-side protections. Akamai Client-Side Protection & Compliance provides comprehensive monitoring and protection for all scripts under the organization’s responsibility, ensuring compliance and security enhancements for both proprietary and third-party scripts.

With Akamai as your cybersecurity partner, you can confidently defend against cyber threats such as data breaches and malware, thwarting cybercriminals seeking to capture critical information from the customers and partners that trust you the most.

via: Akamai

Scroll to Top