Important Changes in PCI DSS 4.0.1 You Should Know About

Didn’t Payment Card Industry Data Security Standard (PCI DSS) v3.2.1 just expire on March 31, 2024, and wasn’t it replaced by PCI DSS v4.0?

Yes, and yes.

But to address feedback and questions received after PCI DSS v4.0 was published, the PCI Security Standards Council (PCI SSC) decided to release a limited revision to the standard: PCI DSS v4.0.1. (When PCI DSS v4.0 is retired on December 31, 2024, v4.0.1 will become the only active standard supported by PCI SSC.)

There are several important changes in PCI DSS v4.0.1 that you should know about as you update or build out transaction security and compliance. For the sake of brevity, this blog will cover changes and updates that F5’s application and API security solutions address. You can find a more complete list of changes on the PCI SSC website.

The most relevant updates included in PCI DSS v4.0.1 aim to provide clarification regarding the scope of client-side security requirements.

Who is responsible for what?

Requirement 6.4.3

This requirement states that all payment page scripts that are loaded and executed in the consumer’s browser should be managed as follow:

• A method is implemented to confirm that each script is authorized.
• A method is implemented to assure the integrity of each script.
• An inventory of all scripts is maintained with written business or technical justification as to why each is necessary.

Typically, merchants rely on payment service providers or third-party service providers (PSPs or TPSPs) for payment processing, which determines the method by which a consumer pays for the goods or services being acquired. This PCI requirement caused confusion related to the responsibility model governing scenarios in which merchants used PSP/TPSP inline frames (iframes) containing the payment page. An iframe is essentially a small web page rendered for a specific functionality. Scripts can run on it as well, making the iframe susceptible to the same risks as parent web pages. Therefore, do iframes need to follow the same PCI requirements as parent pages?

The v4.0.1 update clarifies that merchants are responsible for the script running only on their own page (the parent page) and not the ones running on PSP/TPSP iframes.

Best practice: It is the merchant's responsibility to work with the vendor for PSP/TPSP iframes pages to ensure that they are compliant and secure. If the merchant does not complete this requirement, they face the issue of payment fraud, leading to business loss and intense scrutiny by PCI.

Requirement 11.6.1

Similar clarifications were included around requirement 11.6.1, with emphasis on the security-impacting system of HTTP headers and scripts received by the consumer browser. This is an important change, as PCI makes it clear that it is focused on the risks associated with this requirement, rather than requiring broader protection for HTTP header and script incidents unrelated to security.

There are also updates regarding the responsibility model for PSP/TPSP-embedded iframes, clarifying that the merchant is responsible only for the parent web page, and the PSP/TPSP vendor is responsible for the security-impacting HTTP headers and scripts rendered in its iframes.

The clock is ticking

With less than nine months until the March 2025 deadline for implementing the new requirements, organizations need to navigate all the complexities related to the proposed changes and compliance with PCI DSS v4.0.1.

F5 and PCI DSS v4.0.1

F5 Distributed Cloud Web App and API Protection (WAAP), Distributed Cloud Bot Defense, Distributed Cloud Client-Side Defense, and Mobile App Security Suite from F5 Distributed Cloud Services form the basis for protecting the entire business-to-consumer transaction. For client-side scripts, Distributed Cloud Client-Side Defense can provide visibility and control to enable compliance. F5 Distributed Cloud Services is currently PCI DSS v4.0 compliant and undergoes compliance audits with an approved Audit firm on a scheduled basis. Organizations must be PCI DSS v4.0.1 compliant by January 1, 2025, and Self-Assessment Questionnaires must be updated to reflect this.

Last but not least, organizations subject to PCI DSS requirements can expect changes to the following documentation in the coming calendar quarters:

• Self-Assessment Questionnaires (SAQs)
• Report on Compliance (ROC)
• Attestations of Compliance (AOCs)

Best practice: Monitor https://blog.pcisecuritystandards.org for updates or revisions to the standards and have a discussion with your PCI DSS auditor to make sure your organization is on track to meet PCI DSS requirements.

To learn more, visit f5.com/products/distributed-cloud-services.