By Viviana Wesley, PCI QSA, ISO 27001 Auditor, CISM
Principal Consultant, Governance, Compliance and Engineering Services

Did you see that version 4.0.1 of the PCI DSS that was recently published?

Within the updated document you will notice that requirements 6.4.3 and 11.6.1 have a new applicability note:

6.4.3 – “This requirement also applies to scripts in the entity’s webpage(s) that includes a TPSP’s/ payment processor’s embedded payment page/form (for example, one or more inline frames or iframes).” Page 154 of PDF document https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0_1.pdf

11.6.1 – “This requirement also applies to entities with a webpage(s) that includes a TPSP’s/payment processor’s embedded payment page/form (for example, one or more inline frames or iframes.)” Page 289 of the PDF document.

What Does This Mean?

  • These new requirements apply to organizations that use iframe’s for eCommerce outsourcing
  • These new requirements do not apply to organizations that use URL redirects for eCommerce outsourcing

What Should I Do?

What eCommerce outsourcing method are you using? Are you ready for the new standards?

Other Information

New 4.0.1 SAQ, ROC and AOC documentation is expected to be released in Q3 of 2024.

Version 4.0 will be retired on 31 December 2024. After that point, PCI DSS v4.0.1 will be the only active version of the standard supported by PCI SSC.

REVIEW YOUR PCI COMPLIANCE