By Viviana Wesley, PCI QSA, ISO 27001 Auditor, CISM
Principal Consultant, Governance, Compliance and Engineering Services
Did you see that version 4.0.1 of the PCI DSS that was recently published?
Within the updated document you will notice that requirements 6.4.3 and 11.6.1 have a new applicability note:
6.4.3 – “This requirement also applies to scripts in the entity’s webpage(s) that includes a TPSP’s/ payment processor’s embedded payment page/form (for example, one or more inline frames or iframes).” Page 154 of PDF document https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0_1.pdf
11.6.1 – “This requirement also applies to entities with a webpage(s) that includes a TPSP’s/payment processor’s embedded payment page/form (for example, one or more inline frames or iframes.)” Page 289 of the PDF document.
What Does This Mean?
- These new requirements apply to organizations that use iframe’s for eCommerce outsourcing
- These new requirements do not apply to organizations that use URL redirects for eCommerce outsourcing
What Should I Do?
What eCommerce outsourcing method are you using? Are you ready for the new standards?
- See the updated PCI DSS 4.0.1 on the SSC’s website
- Ensure you understand what outsourcing method is being used.
- Gather updated TPSP third party service provider 4.0 PCI DSS Responsibility documentation.
- Call for help.
Other Information
New 4.0.1 SAQ, ROC and AOC documentation is expected to be released in Q3 of 2024.
Version 4.0 will be retired on 31 December 2024. After that point, PCI DSS v4.0.1 will be the only active version of the standard supported by PCI SSC.