Beginning April 1st, 2025, Payment Card Industry Data Security Standards (PCI DSS) version 4.0.x will take effect, including new requirements for hosted payment pages and forms to safeguard sensitive cardholder data.
Specifically, PCI DSS 4.0.x includes the follwing requirements:
6.4.3 - All payment page scripts that are loaded and executed in the consumer’s browser are managed as follows:
11.6.1 - A change- and tamper-detection mechanism is deployed as follows:
It is the responsibility of the entity hosting the payment form to meet these requirements and to ensure the security of cardholder data entered in the web browser.
If you use a third-party service provider to host your e-commerce application, it is your responsibility to verify that the service provider is compliant with all applicable PCI DSS requirements. Contact your service provider to request their Attestation of Complaince (AOC).
The PCI Security Standards Council (PCI SSC) has published a new information supplement, Payment Page Security and Preventing E-Skimming – Guidance for PCI DSS Requirements 6.4.3 and 11.6.1, to provide additional information on these requirements.
Click here for more information.
The following table describes potential payment page scenarios and the corresponding party responsible for compliance with requirements 6.4.3 and 11.6.1.
Payment Page Scenario | Merchant Responsibility | Third Party Service Provider (TPSP) Responsibility |
---|---|---|
Merchant posted payment | Any scripts on the merchant’s webpage(s). | Any scripts the TPSP includes for services they provide. |
Direct post payment | Any scripts on the merchant’s webpage(s). | Any scripts the TPSP includes for services they provide. |
Embedded payment forms (payment page(s)/form(s) contained in iframe, does not include the Hosted iFrame Tokenizer) | Any scripts on the merchant’s webpage(s). | Any scripts the TPSP includes for services they provide. |
Embedded tokenizer forms (iframes, including the Hosted iFrame Tokenizer) | Any scripts on the merchant’s webpage(s) that includes tokenizer iframe (i.e., the script required to insert the iframe, but not the script(s) hosted by the iframe). Securely implement based on developer documentation. | Scripts within the iframe(s) provided by the TPSP (i.e., itoke.js). |
Redirection mechanisms (including redirection to a Hosted Payment Form or other Hosted Payment Pages) | Any scripts on the merchant’s webpage(s) that includes the redirection mechanism (i.e., the non-payment page). Merchant is not responsible for script inventory on the TPSP payment page/form. | Any scripts the TPSP includes in the base template for services they provide and any scripts modified by the TPSP. TPSP is responsible for script inventory on the TPSP payment page/form. |
Fully outsourced merchant website | Nothing related to Requirements 6.4.3 and 11.6.1. | Any scripts the TPSP includes for services they provide. |
You should review and understand the Payment Card Industry (PCI) Data Security Standards (DSS) version 4.0.x. Specifically, PCI DSS Requirements 6.4.3 and 11.6.1, added in version 4.0.x, may require updates to your application or hosted payment page/form.
Detailed information can be found in the PCI DSS document library.
The PCI Council aims to prevent e-skimming attacks.
These new requirements are intended to strengthen the security of hosted payment pages/forms and to protect sensitive cardholder data (CHD) when entered on a hosted payment page/form.
These requirements apply to any and all entities hosting a public-facing, online checkout page/form on which a cardholder is prompted to enter sensitive cardholder data (CHD).
Yes. When properly implemented, the Hosted iFrame Tokenizer still reduces your PCI scope validation; however, you must satisfy these new requirements to be considered PCI compliant.
Implementing the Hosted iFrame Tokenizer ensures that sensitive cardholder data (CHD) such as the Primary Account Number (PAN) and Cardholder Verification Value (CVV) is never visible or stored by the entity hosting the payment page/form. This data remains within the cardholder's web browser, handled by the Hosted iFrame Tokenizer, and sent to CardSecure, which generates and returns a non-sensitive token.
For questions regarding your PCI compliance, consult with a PCI-certified Quality Security Assessor (QSA).
The service provider is responsible for meeting all PCI DSS requirements for the website. However, it is the merchant's responsibility to ensure that any and all service providers can provide proof of compliance for their specific solutions.
Attestations of Compliance (AOC) and/or evidence of compliance should be validated either by a qualified individual within the merchant organization or by engaging the services of a PCI certified quality security assessor (QSA).