Coffee with the Council Podcast: Guidance for PCI DSS E-commerce Requirements Effective After 31 March 2025

Welcome to our podcast series, Coffee with the Council. I’m Alicia Malone, Director of Communications and Public Relations for the PCI Security Standards Council. As many of our listeners are aware, we are quickly approaching the deadline to adopt the future-dated requirements of PCI DSS version 4.0.1 on March 31st, 2025. Over the course of the last year, the Council has received feedback that more guidance was needed to properly implement some of the e-commerce security requirements in the standard, particularly Requirements 6.4.3 and 11.6.1. As such, the Council has released several pieces of guidance this year, including updates to Self-Assessment Questionnaire A, an FAQ related to SAQ A eligibility criteria, and of course, the highly anticipated guidance developed by our E-commerce Guidance Task Force. Joining me today to walk through all this new guidance is Lauren Holloway, Director of Data Security Standards at PCI SSC. Welcome, Lauren.

Lauren Holloway: Thank you, Alicia. It’s great to be with you today and to help clarify all this new information that the Council has released recently for our industry.

Alicia Malone: So, let’s start by talking a little bit more about these future-dated requirements in PCI DSS version 4.0.1 and the deadline to adopt them. What are they and what do we need to know about this deadline?

Lauren Holloway: Well, there are 64 new requirements that were released in PCI DSS and 51 of them are future-dated. So, the future-dated requirements are effective, as Alicia said, on the 31st of March 2025. Requirements 6.4.3 and 11.6.1, that she mentioned, for e-commerce environments are part of these future-dated requirements. We received feedback that these requirements are challenging for many of our stakeholders, especially for smaller merchants, to implement them. So, we wanted to make sure we provided clarity and resources to assist them on their validation journey.

Now, the deadline to adopt these new requirements is a date that we’ve been talking about for three years. PCI DSS version 4.0 was introduced in 2022, and it became the only active version of the standard when PCI DSS version 3.2.1 was retired on the 31st of March 2024. The future-dated requirements have been in the standard since March of 2022 as “best practices” until the 31st of March 2025. After this 2025 date, these requirements are required, and they must be fully considered during a PCI DSS assessment.

Alicia Malone: So, Lauren, why were these two e-commerce requirements added to PCI DSS version 4?

Lauren Holloway: Well, in recent years, data breaches during e-commerce transactions, commonly known as e-skimming attacks, have increased significantly. As e-commerce platforms have become more complex and businesses have grown more reliant on external scripts in their e-commerce environments, these attacks have become more common. Scripts running in a consumer’s browser are now a significant target for attackers seeking to steal payment card data.

So, Requirements 6.4.3 and 11.6.1 were added to PCI DSS version 4.0 originally, and now version 4.0.1, to reduce the risk of e-skimming attacks during e-commerce transactions. These requirements focus on ensuring that payment page scripts are properly authorized, checked for integrity, and monitored for tampering, and to prevent unauthorized changes to web pages.

Alicia Malone: That’s great. The Council announced in November last year that it had formed an E-commerce Guidance Task Force, which brought together expertise from across the payment security ecosystem, including expertise from PCI SSC staff, payment brand representatives, members of the Board of Advisors and Technical Advisory Board, the Global Executive Assessor Roundtable, or GEAR, and the Small Merchant Business Task Force. What was the mission of this task force?

Lauren Holloway: Yeah, Alicia, the objective of that task force was to develop guidance focusing on PCI DSS Requirements 6.4.3 and 11.6.1. Specifically, they were tasked to produce a guidance document that provides clear and actionable guidance about how entities can meet these two requirements, guidance for how third-party service providers can help their customers to meet these requirements, and practical implementation strategies rather than a theoretical framework.

Now, this new guidance document was released last week. It’s got kind of a long name. It’s called “Payment Page Security and Preventing E-Skimming – Guidance for PCI DSS Requirements 6.4.3 and 11.6.1”. This document is intended for any entity that processes payment card transactions through e-commerce via embedded iframes or with a web page that can impact security of e-commerce payments. The information supplement provides specific guidance for merchants and third-party service providers working to meet PCI DSS Requirements 6.4.3 and 11.6.1.

Alicia Malone: That sounds like that has been a great document in the works for some time now. So, in addition to producing this comprehensive guidance document, the Council also announced important modifications for merchants validating to Self-Assessment Questionnaire A, or commonly referred to as SAQ A. What can you tell us about these changes?

Lauren Holloway: Well, before I go into that, it’s important to remember that SAQ A includes only the PCI DSS requirements that are applicable to merchants with account data functions completely outsourced to PCI DSS compliant third parties where the merchant is retaining only paper reports or receipts with account data. And SAQ A merchants are either e-commerce merchants or they may be mail order, telephone order merchants. Basically, they’re all card-not-present merchants. And these merchants don’t store, process, or transmit any account data in electronic form on their systems or premises. So, the changes we made to SAQ A recently were to remove these two PCI DSS Requirements 6.4.3 and 11.6.1 for payment page security. And we also removed Requirement 12.3.1 for a targeted risk analysis because this targeted risk analysis was only there to support Requirement 11.6.1.

We also added an eligibility criteria for merchants to confirm that their site is not susceptible to attacks from scripts that could affect the merchant’s e-commerce systems. Now, regarding this new eligibility criteria, we received a lot of questions about that eligibility criteria, and we recently produced an FAQ, that Alicia mentioned, to help clarify exactly what that eligibility criteria means and how a merchant can confirm that their website is not susceptible to script-based attacks that could compromise a merchant’s e-commerce systems. So, in the FAQ, we clarify that merchants can confirm this either by using techniques such as, but not limited to, those that are spelled out in PCI DSS Requirements 6.4.3 and 11.6.1 to protect the merchant’s webpage from scripts targeting account data.

Now, these techniques may be deployed by the merchant, or they could be deployed by a third party. Alternatively, the merchant can obtain confirmation from the merchant’s PCI DSS compliant third-party service provider, or payment processor, that is providing the embedded iframe. And this confirmation would be when implemented according to the third party’s instructions, the third party’s solution includes techniques that protect the merchant’s payment page from scripts attacks. We also clarified that a provider of third-party scripts is not considered a third-party service provider, or TPSP, for purposes of SAQ A if the provider’s only service is providing scripts that are not related to payment processing and where those scripts cannot impact the security of payment account data. Now, it’s important to note that these requirements were only removed from SAQ A, and they are still in the standard.

Alicia Malone: That is a good distinction to make. And this is all so much great information. What other guidance might be helpful when it comes to PCI DSS assessments?

Lauren Holloway: Well, as we all know, artificial intelligence is a hot topic right now, and we’ve been hard at work to produce some new guidance when it comes to integrating artificial intelligence into PCI assessments. In fact, this guidance is hot off the press and has just recently been published. These guidelines address best practices for assessors and include key coverage areas such as informing clients of AI involvement, obtaining the client’s consent, and providing assurances about the security of client data and the accuracy of assessment results.

Another key coverage area is using AI in reviewing artifacts, creating work papers, conducting remote interviews, and generating final assessment reports. The guidance also covers the importance of data handling protocols, AI system validation, ethical use, and regular updates to ensure the security and accuracy of outputs.

An important part to remember in this guidance is that AI is a tool, not an assessor. Human assessors remain responsible for all findings and final decisions, ensuring that AI’s role is to enhance expertise rather than replace it.

Alicia Malone: This is so exciting to have this new AI guidance. I’m sure these new guidelines will be a really helpful resource for assessors navigating the new world of AI. So, Lauren, where can our listeners find all of this new guidance?

Lauren Holloway: So, all of this guidance, including the AI guidance, SAQ A, the new FAQ, and the new guidance about implementing the e-commerce security requirements, can be found on the Council’s website. Our Document Library houses most of this, but you’ll also want to check out the FAQ page on our website. The new FAQ is number 1588. I would recommend subscribing to the Council’s PCI Perspectives blog to receive the latest information directly to your inbox as soon as it’s released.

Alicia Malone: That’s great. Well, thank you so much for joining us on Coffee with the Council, Lauren. It’s so insightful to learn more about all of this new guidance, and I’m sure our merchants and assessor companies will find this information to be very helpful.

Lauren Holloway: My pleasure, Alicia. Happy to be here today. I hope all these clarifications and new guidance are helpful.

Like what you’ve heard? Subscribe to PCI SSC’s “Coffee with the Council” podcast by visiting any of the following platforms: Apple Podcasts, Spotify, Amazon Music, Anchor, Castbox, Google Podcasts, iHeartRadio, Pocket Casts, RadioPublic, Stitcher, Audible, Overcast, or Pandora.