New Information Supplement: Payment Page Security and Preventing E-Skimming

The PCI Security Standards Council (PCI SSC) has introduced a new information supplement: “Payment Page Security and Preventing E-Skimming – Guidance for PCI DSS Requirements 6.4.3 and 11.6.1”. This document provides direction for merchants and service providers implementing controls to protect payment card data during e-commerce transactions.

This valuable guidance was produced through the collaborative efforts of industry experts across the payment security ecosystem. The E-Commerce Guidance Task Force responsible for developing this supplement included PCI SSC staff, payment brand representatives, members of the Board of Advisors/Technical Advisory Board, members of the Global Executive Assessor Roundtable (GEAR), and members of the Small Merchant Business (SMB) Task Force. This diverse group of stakeholders ensured that the guidance addresses the needs of organizations of all sizes while incorporating expertise from across the payment card industry.  

In recent years, data breaches during e-commerce transactions, commonly known as e-skimming attacks, have increased significantly. As e-commerce platforms have become more complex and businesses have grown more reliant on external scripts, these attacks have become more common. Scripts running in consumers’ browsers are now a significant target for attackers seeking to steal payment card data.

To combat these risks, PCI DSS v4.x includes Requirements 6.4.3 and 11.6.1, which aim to reduce the risk during e-commerce transactions. These requirements focus on ensuring that payment page scripts are properly authorized, checked for integrity, and monitored for tampering. Additionally, they address the need for careful management of both scripts and security-impacting HTTP headers to prevent unauthorized changes to webpages, whether in the server environment or as rendered in the consumer’s browser.  

This guidance is intended for any entity that processes payment card transactions through e-commerce or with a webpage that can impact the security of e-commerce payments by using embedded iframes. The information supplement provides specific guidance for merchants and third-party service providers (TPSPs) working to meet PCI DSS Requirements 6.4.3 and 11.6.1.  

It is important to note that the Council does not enforce compliance or determine whether specific implementations are compliant. Entities should collaborate with the organizations managing their compliance programs, such as acquirers or payment brands, to understand any specific compliance validation and reporting responsibilities.

This information supplement provides supplemental guidance and does not add, extend, replace, or supersede requirements in any PCI SSC standard. While the current version of PCI DSS is v4.0.1 at the time of publication, the principles and practices outlined in this document may also apply to future versions.

The “Payment Page Security and Preventing E-Skimming – Guidance for PCI DSS Requirements 6.4.3 and 11.6.1” information supplement is available now on the PCI SSC website in the Document Library. Organizations involved in e-commerce payments are encouraged to review this guidance as part of their security strategy.