What is PCI DSS v4.0 for e-commerce businesses?

If you process payment card data to any degree, you need to be PCI compliant. IT Governance explains, “All merchants and service providers that process, transmit or store cardholder data must comply with the PCI DSS. […] PCI DSS applies to merchants even if they have subcontracted their payment card processing to a third party.” So, even if you use Stripe or another payment processor, you’re still on the hook for PCI DSS. And it just got tougher. PCI DSS v4.0 is now in full effect and most e-commerce merchants will struggle with requirements added to their self-assessment across points 1, 6, 7 and 8 below. Are you affected? Read on.

What is PCI DSS?

The old standard was pretty intuitive. It included things like avoiding default settings, running on unpatched servers or using shared passwords. While PCI compliance is a standard, not a law, if a business has a breach of cardholder data, not being PCI compliant could mean the merchant was at fault. And they can get penalties through fines and legal fees across a range of legislations like GDPR. That’s not to mention any brand damage caused by breaches. PCI standards are there for a reason. They protect cardholder data and public perception is not kind to brands who thwart their duty of care. And while cyber insurance companies will still cover you if you’re not PCI compliant, Infosec explains, “because most insurance carriers that offer this type of insurance are global, it is advisable to implement universally recognized IT security best practices.” So, the expectation from insurers, regulatory bodies and customers is that all merchants will meet PCI DSS.

What’s new in PCI DSS v4.0?

PCI DSS v4.0 landed on the 31st of March 2022. It was optional for 2 years, but it’s now mandatory. PCI compliance is often based on Self Assessment Questionnaires (SAQ). The type of payment integration dictates which SAQ you use. SAQ-A is the simplest to pass and is used for fully outsourced payment processing (so Stripe, Paypal…). And it’s what most of our clients use. However, the SAQ-A in PCI DSS v4.0 now contains the following requirements relating to the web server that contains the redirect to, or iframes of, the payment processor.

  1. Payment page scripts are authorised, integrity checked and inventoried.
  2. Server passwords are initially set (or reset) to unique values and forced to change on first use.
  3. Server password parameters are configured to require a minimum of twelve characters with both letters and numbers.
  4. Server passwords cannot be the same as any of the last four used.
  5. If multi-factor authentication (MFA) is not used, then passwords are changed every 90 days.
  6. Quarterly external vulnerability scans from an Approved Scanning Vendor with re-scans as required until passed.
  7. External vulnerability scans after any significant change, with re-scans until no more vulnerabilities with CVSS 4.0 or above.
  8. For iframes hosting the payment service provider’s payment page, a change and tamper detection mechanism must run at least every 7 days.

While you might be able to make changes internally to meet these requirements, numbers 1, 6, 7 and 8 are the most challenging. We recommend you get in touch today so we can support you.

Set yourself up for success and make sure you’re not already in breach of PCI compliance standards. Talk to us about PCI DSS v4.0 today.