related announcements

News

Rowan University

Cooper Medical School of Rowan University dedicates Center for Humanism[...]
Pennsylvania Department of[...]

SB I 83 Off Ramp at Exit 32 in York County is Open to Traffic
Pennsylvania Department of[...]

NB I-81 Welcome Center in Franklin County to be Temporarily Closed this[...]

Arthur J.Gallagher & Co.

Statement of Changes in Beneficial Ownership - Form 4
GPA Midstream Association

New research shows US LNG exports have lower lifecycle GHG emissions[...]
Business First Bancshares Inc.

Business First Bancshares, Inc. Names David R. “Jude” Melville III,[...]

F5 Inc.

07/30/2024 | News release | Distributed by Public on 07/30/2024 10:13

Important Changes in PCI DSS 4.0.1 You Should Know About

Requirement 6.4.3

This requirement states that all payment page scripts that are loaded and executed in the consumer's browser should be managed as follow:

A method is implemented to confirm that each script is authorized.
A method is implemented to assure the integrity of each script.
An inventory of all scripts is maintained with written business or technical justification as to why each is necessary.

Typically, merchants rely on payment service providers or third-party service providers (PSPs or TPSPs) for payment processing, which determines the method by which a consumer pays for the goods or services being acquired. This PCI requirement caused confusion related to the responsibility model governing scenarios in which merchants used PSP/TPSP inline frames (iframes) containing the payment page. An iframe is essentially a small web page rendered for a specific functionality. Scripts can run on it as well, making the iframe susceptible to the same risks as parent web pages. Therefore, do iframes need to follow the same PCI requirements as parent pages?

The v4.0.1 update clarifies that merchants are responsible for the script running only on their own page (the parent page) and not the ones running on PSP/TPSP iframes.

Best practice: It is the merchant's responsibility to work with the vendor for PSP/TPSP iframes pages to ensure that they are compliant and secure. If the merchant does not complete this requirement, they face the issue of payment fraud, leading to business loss and intense scrutiny by PCI.

Requirement 11.6.1

Similar clarifications were included around requirement 11.6.1, with emphasis on the security-impacting system of HTTP headers and scripts received by the consumer browser. This is an important change, as PCI makes it clear that it is focused on the risks associated with this requirement, rather than requiring broader protection for HTTP header and script incidents unrelated to security.

There are also updates regarding the responsibility model for PSP/TPSP-embedded iframes, clarifying that the merchant is responsible only for the parent web page, and the PSP/TPSP vendor is responsible for the security-impacting HTTP headers and scripts rendered in its iframes.

Sharing and Personal Tools

Please select the service you want to use:

related announcements

News

Finance

F5 Inc.

Important Changes in PCI DSS 4.0.1 You Should Know About

Sharing and Personal Tools