The Challenges of Compliance
With the March 2025 deadline for PCI DSS 4.0.1 compliance, organizations are facing numerous challenges in meeting the new requirements. According to Simon Wijckmans, CEO at web security platform c/side, organizations are often late in noticing and understanding the new PCI DSS compliance requirements than they ought to be. This is due to the need for thorough due diligence and multi-stakeholder approval processes, as well as the complexity of client-side security, which is a relatively new domain for many organizations. The lack of education and awareness-building across teams is also a significant challenge. Despite this, the c/side team is encouraged to see an increasing flow of information and educational resources in this space. Additionally, there’s a big shift between the new PCI DSS mandates and the previous PCI DSS v4.0 scope that’s been out for three years now. This requires organizations to monitor their client-side security and security headers, even if they use a third-party payment provider for online transactions in an iframe.
Overlapping Requirements
For enterprises that operate globally with multiple payment systems and regulatory frameworks, PCI DSS 4.0.1 requirements overlap or potentially conflict with other data security standards like GDPR or regional privacy laws. According to Simon Wijckmans, each site needs to be independently compliant, and the lines become blurry when third-party partners are involved. Both enterprise and smaller companies need to be aware of this and take the best practice of taking the reins themselves. Unlike other frameworks that talk about ‘third-party dependencies’ more generally, PCI DSS calls out client-side security explicitly. This removes doubt whether client-side executed dependencies are in scope, and highlights the importance of understanding how website dependencies behave in a user’s browser.
A Critical Security Focus
The new requirements 6.4.3 and 11.6.1 specifically target browser-side web scripts, which has become a critical security focus for the PCI Security Standards Council. Companies and the cyber security industry have increasingly invested in cloud security, open source dependency security, etc. However, the cyber security space is a leaky bucket, and once one hole is patched, another leak faster. Browser-side web scripts are increasingly used to carry out attacks, and the PCI community has rightly taken steps to mitigate this problem. The majority of credit card theft nowadays happens in the browser, and the wider scale attack surface with session tokens, sensitive information, crypto mining, and DDoS attacks originating from third-party web scripts is a concern.
Legacy Security Strategies
Many enterprises are still using legacy security strategies for script monitoring, which creates potential blind spots and vulnerabilities. A widely popular one is the use of a Content Security Policy (CSP), which manually sets rules that allow or restrict a script from fetching if it is not originating from an allowed source. However, the payload of a script is not verified, making it vulnerable to attacks. The Polyfill attack, for example, saw nearly half a million websites compromised because of just one domain changing ownership. This highlights the importance of monitoring the exact payload of the script that loads, rather than just relying on a CSP header.
A Shift to Continuous Monitoring
The new requirements in PCI DSS 4.0.1 shift from annual audits to continuous monitoring, which changes the way organizations need to approach their security infrastructure. In the client-side security space, annual audits are too slow, and JavaScript is designed to be dynamic, making it easy for attackers to load malicious scripts. Time zones, user agents, other scripts, and other factors can be used to circumvent security systems. With continuous monitoring, organizations can detect and respond to security threats in real-time, rather than just during an annual audit.
Prioritizing Compliance
With potential penalties including six-figure monthly fines and suspension of card acceptance capabilities, organizations need to prioritize the new requirements against other cybersecurity initiatives in their 2025 planning. Fines from non-compliance with PCI DSS and other regulations can be disastrous for an organization’s revenue stream. Organizations should also be aware of the potential impact on cyber insurance rates, as some insurers already require PCI DSS compliance. Ticking the box on compliance without implementing proper security measures can lead to both compliance violations and insurance complications.
A Broader Cybersecurity Landscape
The new PCI requirements are likely to influence the broader cybersecurity landscape, and organizations will need to securely handle payment data. The regulations are tightening, and it’s essential to remember the core idea behind them: keeping site visitors and buyers safe on the web. This ultimately benefits the companies bolstering their security, as an extra line of defense in a space that sees increasingly more attacks. The c/side team is proud to be a member of the PCI SSC Associate Participating Organization program, working to inform the council on changes in the client-side security space.
Simon Wijckmans, CEO at c/side, emphasizes the importance of understanding the new PCI DSS compliance requirements and the challenges they pose. By prioritizing these requirements and investing in proper security measures, organizations can protect their clients and secure their payment data.
As the cybersecurity landscape continues to evolve, organizations will need to stay vigilant and adapt to the changing requirements. The new PCI DSS 4.0.1 regulations are a significant step towards a safer browsing experience, and organizations can play a crucial role in shaping this future.
The c/side team is committed to providing education and resources to help organizations navigate the new requirements and stay ahead of emerging threats.
news is a contributor at AntiVirusDon. We are committed to providing well-researched, accurate, and valuable content to our readers.
