Article written by Carrie Daly and Simone le Roux (Peach Payments)
As online criminals and fraudsters get better and better at what they do, it’s vital that our security can keep up. This is why the Payment Card Industry (PCI) Security Standards Council introduced PCI DSS v4.0, which enforces stricter security measures for the entire website. The deadline for full compliance with PCI DSS v4.0 is March 2025, when the future-dated requirements become mandatory. This can seem overwhelming but don’t worry: Here’s what that means and how to implement it.
The risk
Imagine your house has a safe where you store your most valuable possessions. Now, picture leaving one door to your house open. Even though the safe is locked, your valuables remain at risk because that open door compromises your home’s overall security. With a website, it’s important to secure not just your payment form (the safe) but also the entire parent page that hosts it (the house).
This is where e-skimming attacks come into play. Even if your card capture form is secure, a vulnerability on your website can allow attackers to intercept sensitive data before it reaches your secure payment form.
From securing the room to securing the entire house
In the past, merchants relied on iframes to collect card data, which isolated the secure payment form from the rest of the website. As long as the payment form (or “the room with the safe”) was secure, vulnerabilities elsewhere on the site were less of a concern. But with the rise of sophisticated attacks like e-skimming — where malicious code is injected into the website, not the payment form — this approach is no longer sufficient.
To combat these modern threats, the Payment Card Industry (PCI) Security Standards Council introduced PCI DSS v4.0, which enforces stricter security measures for the entire website (more specifically the “parent page” hosting the card capture widget), not just the card capture widget.
With these new standards, protecting your entire site is mandatory to prevent attacks like e-skimming and to ensure secure payment processing.
What’s New in PCI DSS v4.0?
The future-dated requirements
Requirement 6.4.3: Merchants must maintain a list of all scripts running on payment pages, with processes to detect and address unauthorized changes. This combats e-skimming by ensuring no rogue scripts sneak into the payment page.
Requirement 11.6.1: Regular testing for unauthorized scripts on these pages is mandatory to
prevent digital theft of sensitive payment data.
How to Prepare for PCI DSS v4.0
Know Your SAQ Forms
First things first—compliance starts with understanding which Self-Assessment Questionnaire (SAQ) applies to your payment setup. The form you fill out depends on how you process payments:
● SAQ A-EP Form: For merchants who receive card data directly on their website and pass it to a third party through server-to-server integration.
● SAQ-A Form: For merchants using a hosted or embedded checkout (like a redirect or iFrame).
Secure your web environment
Running an eCommerce site means hackers are always knocking at your door. So, how do you keep them out Start with the basics:
● Implement a web application firewall and follow secure coding practices.
● Perform regular vulnerability scans and apply security patches to your website.
Keep software updated
You know that annoying little pop-up reminding you to update your software? Yeah, it’s not just a nuisance—it’s a lifeline. Ensure that your eCommerce platform and CMS are always up-to-date, and don’t neglect those plugins and themes: They’re often the weakest link in your security chain.
Monitor for vulnerabilities
The bad guys are getting smarter, which means you need to stay two steps ahead. It’s not enough to just check in periodically—you need to know about issues or vulnerabilities the moment they arise.
● Use automated scanning tools to regularly check for weaknesses on your website.
● Act quickly to patch any vulnerabilities that could expose sensitive payment data.
Review your third-party providers
Your payment security isn’t just about what’s happening on your website. If your third-party partners aren’t PCI DSS compliant, their vulnerabilities can become your vulnerabilities. Do your homework, and confirm that they’re meeting the standards, too.
Peach Payments is a proud Partner of the NSBC