In 2022, the Payment Card Industry Security Standards Council (PCI SSC) introduced updates to the PCI DSS standard. PCI DSS v4.0 incorporated various changes to clarify or provide guidance to better understand how to implement and maintain security; update to requirements to meet evolving security threats and provide flexibility for organizations to meet security requirements. Most changes were best practices, but full implementation of PCI 4.0 requirements will become effective March 31, 2025.
Who is in Scope:
Any organization that store, process, or transmit payment cardholder data and/or sensitive authentication data is required to implement and follow the PCI security standards to prevent cardholder data theft.
What’s Changing:
The PCI-Security Standard Council has updated the PCI Standards to ensure the payment industry is continuing to meet evolving security threats. E-commerce merchants that outsource online payments to a payment processor are required to monitor their payment page. The following ecommerce merchants may have potential impact to Requirement 6.4.3 and Requirement 11.6.1
ECOMMERCE MERCHANTS WITH SAQ A QUESTIONNAIRE | ECOMMERCE MERCHANTS WITH SAQ AE & D QUESTIONNAIRE |
• Vulnerability scans – Merchants are required to complete network scans to identify and address security vulnerabilities by installing applicable security patches and updates. | • Script Management - Merchants with hosted payment pages will be required to monitor all payment page scripts that are loaded and executed in the consumer’s browser by confirming script authorization, assure script integrity, and maintain a script inventory (Req 6.4.3) |
• Script Management and Script Detection – Merchants who previously qualified for SAQ A may need to reassess their eligibility by moving to SAQ AE if they are unable to confirm and provide proof their entire webpage isn't susceptible to attacks (Req 6.4..3 and 11.6.1) | • Script Detection – Merchants with hosted payment pages must implement a detection mechanism (at least weekly) to alert for unauthorized modifications or changes on payment pages as received by the consumer browser (Req 11.6.1) |
Meeting the New PCI Requirements: Your Options
1. If You Already Have a PCI Vendor:
- Contact your QSA to assess if your processing method is in scope for the new requirements.
- If in scope, enroll in and maintain a monitoring service to actively scan your payment pages.
- Be ready to provide proof/confirmation of your monitoring service if needed.
2. If You Don't Have a PCI Vendor:
- CSG Forte partners with a QSA to help you obtain and maintain compliance with both existing and new PCI requirements.
- Enroll with CSG Forte's PCI QSA by completing the attached enrollment form to assess if your processing method is in scope for the new requirements and take steps towards compliance.
3. If You Self-Assess Your Annual PCI Compliance:
- To comply with the new monitoring requirement, we suggest engaging a QSA.
- You have the option to:
- Choose a QSA from the PCI DSS approved list
- Enroll with CSG Forte’s PCI Vendor by completing the attached enrollment form.
Contact Us:
- PHONE: Customer Service 866.290-5400 Option 1
- EMAIL: [email protected]
- WEB: FORTE.NET
Online enrollment form: Aperia PCI Enrollment