New Guidance Coming for E-commerce Security Requirements in PCI DSS v4.x

The PCI Security Standards Council (PCI SSC) is developing guidance to help stakeholders understand and implement the new e-commerce security requirements included in PCI Data Security Standard (PCI DSS) v4.x. Stakeholders have indicated that these requirements are complex for many entities to implement (including merchants validating to Self-Assessment Questionnaire (SAQ) A). To that end, the Council has engaged with industry experts to establish an E-commerce Guidance Task Force with the sole objective of developing guidance focusing on PCI DSS v4.x Requirements 6.4.3 and 11.6.1.

The upcoming guidance document will provide: 

• Clear and actionable guidance about how entities can meet these two requirements.  
• Guidance for how third-party service providers can assist their customers in meeting these requirements.  
• Practical implementation strategies rather than a theoretical framework. 

The new E-commerce Guidance Task Force brings together expertise from across the payment security ecosystem including PCI SSC staff, payment brand representatives, and members of the Board of Advisors/Technical Advisory Board, Global Executive Assessor Roundtable (GEAR), and Small Merchant Business (SMB) Task Force.  

Merchants and service providers should continue familiarizing themselves with Requirements 6.4.3 and 11.6.1 while awaiting this additional guidance, as these controls are fundamental to addressing recent e-commerce breaches and securing e-commerce environments. Requirements 6.4.3 and 11.6.1 are part of the 64 future-dated requirements of PCI DSS v4.x, which are effective as of 31 March 2025. The new guidance document for stakeholders on how to meet these PCI DSS v4.x e-commerce requirements is expected in early 2025.