With the approaching deadline for PCI DSS 4.0.1 compliance updates in March 2025—including significant changes in web page security for payment data and multi-factor authentication (MFA) requirements—many businesses that handle payment data are scheduling their annual audits under the current 4.0 framework, to give themselves more time to meet the requirements.
Our PCI DSS consultants have identified that, in particular, web-based payment pages are becoming a significant pain point for compliance with the changes, as they introduce complex security challenges and nuanced control requirements.
Here’s what you need to know about the critical updates and how to prepare.
Key updates in PCI DSS 4.0.1
Requirement 6
This section now asks companies to track and maintain a list of web scripts, including justifications for their use, which should help to prevent the use of any unauthorised code on payment pages.
Previously, this requirement only applied to high-security patches and updates, but now it’s been refocused on just critical vulnerabilities. For web-based payment pages, this focuses on any JavaScript on the page, especially in light of recent increases in JavaScript-based skimming attacks.
Requirement 8
Clearer guidelines have been added around MFA because some organisations struggled to interpret these requirements in version 4.0.
PCI DSS now specifies that MFA isn’t required for non-administrative accounts accessing the cardholder data environment (CDE) if the authentication method is phishing-resistant, such as through a trusted authentication app.
Requirement 12
Enhanced clarity is provided around who is responsible for which security tasks between organisations and third-party service providers when it comes to payment processing. This is crucial for businesses who use third-party services to handle secure payments without directly managing the cardholder data environment.
Why there’s a focus on payment pages
Knowing the difference between the Parent Page and Payment page is crucial when it comes to PCI DSS compliance. The Parent Page is the main webpage (such as a checkout page) that will display a payment form but doesn’t actually capture the payment information directly. This information is collected via the Payment Page which is embedded in the parent page as an iframe, and often provided by a third-party payment service provider (PSP), separating the merchant from directly handling the cardholder data, which complicates compliance responsibilities.
As technology evolves, so do the attack methods. Attackers are more frequently targeting Parent Pages with JavaScript-based skimming. By exploiting vulnerabilities in the Parent Page, attackers can overlay malicious forms or redirect customers to fake payment pages. These forms look legitimate, but they steal sensitive data before routing customers back to the genuine Payment Page.
How to prepare for the 2025 changes
To be ready for the changes and maintain compliance, we recommend the following steps:
Assess JavaScript on Payment Pages and Parent Pages
Inventory and evaluate JavaScript across both Parent Pages and Payment Pages. Ensure compliance with 6.4.3 for script justifications and assess any risks associated with third-party scripts. Regular scans and penetration testing of Parent Pages are vital to identify and mitigate risks before attackers can exploit them and ensure that your payment portal is secure.
Strengthen MFA Across Environments
Review MFA controls, especially for access to the cardholder data environment, and verify that all non-administrative users are properly segmented and authenticated.
Engage with Third-Party Providers
Coordinate with PSPs to confirm iframe implementations meet PCI DSS requirements and validate that the embedded Payment Page protects customers' cardholder data effectively.
The March 2025 updates to PCI DSS 4.0.1 highlight the need for comprehensive security strategies in payment data handling. By acting now, you can ensure smooth audits and protect your customers' data against emerging threats, particularly on the critical front of web-based payment pages.
How PGI can help you achieve PCI DSS compliance
We know that the process to achieve PCI DSS compliance can be daunting, but we’re here to support and simplify the journey. With a comprehensive suite of services and a team of highly experienced consultants, we’re your one-stop shop to help you achieve and maintain compliance.
Our services include:
- PCI assessments: Comprehensive assessments tailored to your business needs, identifying gaps and outlining actionable steps for compliance.
- ASV scanning: To maintain compliance, a successful ASV scan must be conducted every quarter and after any significant changes to your network. We can provide you with this service scheduled in line with your timelines.
- Business-as-Usual (BAU) programs: We can support you with practical solutions to help integrate PCI DSS compliance into your daily operations and maintain compliance.
- Compliance reporting: We can help you achieve compliance either through a Self-Assessment Questionnaire or guiding you through the more comprehensive Report on Compliance (ROC) process.
- Penetration testing: We can conduct internal, external, and segmentation penetration testing in line with compliance requirements.
At PGI, we empower organisations to move proactively through the digital space with tailored guidance from our team of experts. Get in touch with us today to discover how we can help you achieve and maintain PCI DSS compliance.
Insights
Trust & Safety: A look ahead to 2025
Working within the Trust and Safety industry, 2024 has been PGI’s busiest year to date, both in our work with clients and our participation in key conversations, particularly around the future of regulation, the human-AI interface, and child safety.
Lies, damned lies, and AI - Digital Threat Digest
At their core, artificial systems are a series of relationships between intelligence, truth, and decision making.
A pointless digital jigsaw - Digital Threat Digest
Feeding the name of a new criminal to the online OSINT community is like waving a red rag to a bull. There’s an immediate scramble to be the first to find every piece of information out there on the target, and present it back in a nice network graph (bonus points if you’re using your own network graph product and the whole thing is a thinly veiled advert for why your Ghunt code wrap with its purple-backlit-round-edged-dynamic-element CSS is better than everyone else’s).