The PCI DSS 3.2.1 Clock Has Hit the Midnight Hour... Are You Ready for 4.0?

Sunday, March 31, 2024, an important date worldwide has come and gone. Why do I say that? For any organization taking consumer payments, it is the date that PCI DSS 3.2.1 compliance standard has been retired (May 1, 2018 – March 31, 2024). Your organization is now on the PCI DSS 4.0 timeline and will have to have completed a 4.0-compliant SAQ and an audit by an external organization by March 2025. Non-adherence to PCI DSS 4.0 is not an option if you want to book revenue via consumer payments.

The PCI DSS 4.0 specification is a major upgrade from 3.2.1 and you can find the summary of the changes here. Version 4.0 introduces numerous changes (and an updated SAQ as well) but there are two net-new areas that need to be secured in the overall structure in order to hit and maintain compliance:

• Application programming interface (API) [2.2.7; 6.2.3; 6.2.4]
• Bespoke software [6.X; 8.6.2; 12.8.1]

For the sake of simplicity, we’ll go just a bit deeper on a portion of ‘bespoke software’ only. This is custom software built by the organization to help facilitate consumer payment. Bespoke software is as follows:

• Developed internally or from external third-party sources
• Software developed for the payment application (server-side of transaction) or pushed out to the consumer’s web browser (client-side of transaction) to drive collection of data

A challenge for many organizations will be extending the security and PCI DSS compliance of bespoke software out to the consumer’s web browser (Requirements 6.4.1; 11.6.1). Securing transactions now means not only having to secure the server side but also now monitor and protect the consumer’s web browser from ‘bespoke software’ they have pushed out. And getting the bespoke software (e.g., JavaScript) for the client web browser from a third party does not relieve the payment collector from having to monitor and protect it. Attempting to finger-point back to the source will get you nowhere with the auditor.

So, what are the requirements for client-side bespoke software? From section 6.4.1, it comes down to this:

All payment page scripts that are loaded and executed in the consumer’s browser are managed as follows:

• A method is implemented to confirm that each script is authorized.
• A method is implemented to assure the integrity of each script.
• An inventory of all scripts is maintained with written justification as to why each is necessary.

This means that all software (scripts) pushed out must be inventoried, justified, and monitored with a game plan to remediate if a breach is identified. Is your app/IT security staff ready to manage, monitor, and report on this requirement? Have you and your team had a conversation with your PCI DSS auditor on scheduling 4.0 compliance review? It’s time to ensure that your security and PCI DSS compliance plan is on track and not a disruptor to your security operations and—more importantly—your organization’s revenue collection too. Because securing the client-side of your transactions to meet PCI DSS 4.0 compliance is much closer than you realize.