Overview
Beginning April 1st, 2025, Payment Card Industry Data Security Standards (PCI DSS) version 4.0.x will take effect, including new requirements for hosted payment pages and forms to safeguard sensitive cardholder data.
Specifically, PCI DSS 4.0.x includes the follwing requirements:
6.4.3 - All payment page scripts that are loaded and executed in the consumer’s browser are managed as follows:
- A method is implemented to confirm that each script is authorized.
- A method is implemented to assure the integrity of each script.
- An inventory of all scripts is maintained with written business or technical justification as to why each is necessary.
11.6.1 - A change- and tamper-detection mechanism is deployed as follows:
- To alert personnel to unauthorized modification (including indicators of compromise, changes, additions, and deletions) to the security impacting HTTP headers and the script contents of payment pages as received by the consumer browser.
- The mechanism is configured to evaluate the received HTTP headers and payment pages.
- The mechanism functions are performed as follows:
- At least weekly
OR
- Periodically (at the frequency defined in the entity’s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1).
- At least weekly
It is the responsibility of the entity hosting the payment form to meet these requirements and to ensure the security of cardholder data entered in the web browser.
If you use a third-party service provider to host your e-commerce application, it is your responsibility to verify that the service provider is compliant with all applicable PCI DSS requirements. Contact your service provider to request their Attestation of Complaince (AOC).
The PCI Security Standards Council (PCI SSC) has published a new information supplement, Payment Page Security and Preventing E-Skimming – Guidance for PCI DSS Requirements 6.4.3 and 11.6.1, to provide additional information on these requirements.
Click here for more information.
PCI DSS Requirements 6.4.3 and 11.6.1 – Applicability and Responsibility Matrix
The following table describes potential payment page scenarios and the corresponding party responsible for compliance with requirements 6.4.3 and 11.6.1.
| Payment Page Scenario | Merchant Responsibility | Third Party Service Provider (TPSP) Responsibility |
|---|---|---|
| Merchant posted payment | Any scripts on the merchant’s webpage(s). | Any scripts the TPSP includes for services they provide. |
| Direct post payment | Any scripts on the merchant’s webpage(s). | Any scripts the TPSP includes for services they provide. |
| Embedded payment forms (payment page(s)/form(s) contained in iframe, does not include the Hosted iFrame Tokenizer) | Any scripts on the merchant’s webpage(s). | Any scripts the TPSP includes for services they provide. |
| Embedded tokenizer forms (iframes, including the Hosted iFrame Tokenizer) | Any scripts on the merchant’s webpage(s) that includes tokenizer iframe (i.e., the script required to insert the iframe, but not the script(s) hosted by the iframe). Securely implement based on developer documentation. | Scripts within the iframe(s) provided by the TPSP (i.e., itoke.js). |
| Redirection mechanisms (including redirection to a Hosted Payment Form or other Hosted Payment Pages) | Any scripts on the merchant’s webpage(s) that includes the redirection mechanism (i.e., the non-payment page). Merchant is not responsible for script inventory on the TPSP payment page/form. | Any scripts the TPSP includes in the base template for services they provide and any scripts modified by the TPSP. TPSP is responsible for script inventory on the TPSP payment page/form. |
| Fully outsourced merchant website | Nothing related to Requirements 6.4.3 and 11.6.1. | Any scripts the TPSP includes for services they provide. |