Original Post: PCI DSS 4.0.1: New Clarifications on Client-Side Security – What You Need to Know
The blog post from Imperva discusses the clarifications introduced in PCI DSS 4.0.1, focusing on payment pages, forms, and script responsibilities. Key updates include:
-
Scope Clarifications: PCI DSS 4.0.1 clarifies that merchants must comply with security requirements even if they use third-party payment service providers (PSPs) by embedding payment pages via iframes or redirects. Three new applicability notes have been added to address client-side security requirements.
-
Updated Requirement 6.4.3: This update specifies that merchants are responsible for scripts on their own web pages, not those within an iframe managed by a PSP. Guidance has been added for dealing with unauthorizable scripts, emphasizing real-time monitoring and mitigation.
-
Requirement 11.6.1: Clarifications focus on security-impacting HTTP headers and script contents, aiming to reduce noise and concentrate on significant security events. This helps in detecting unauthorized changes impacting cardholder data security.
- Good Practice Recommendations: Both requirements 6.4.3 and 11.6.1 include recommendations for validating and restricting script sources and using content security policy headers to enhance security.
Imperva’s solutions, specifically their Client-Side Protection, simplify compliance with these updated requirements by providing tools for monitoring changes, authorizing scripts, and enforcing security policies. Imperva also offers a 30-day free trial to help businesses implement these security measures effortlessly.
Go here to read the Original Post