Protecting customer data is critical for any business accepting online payment information. The Payment Card Industry Data Security Standard (PCI DSS), created by leading credit card companies, establishes best practices for protecting consumers' information. By adhering to these standards, businesses can ensure that their customer's personal and financial information is secure.
The PCI DSS security standards apply to any business that processes, stores, or transmits credit card information. Failure to comply with the PCI DSS can result in costly fines and penalties from credit card companies. It can also lead to a loss of customer trust, which can be devastating for any business.
PCI DSS 4.0 was released in March 2022 and will replace the current PCI DSS 3.2.1 standard in March 2025. That provides a three-year transition period for organizations to be compliant with 4.0.
The latest version of the standard will bring a new focus to an overlooked yet critically important area of security. For a long time, client-side threats, which involve security incidents and breaches that occur on the customer's computer rather than on the company's servers or in between the two, were disregarded. But that's changing with the release of PCI DSS 4.0. Now, many new requirements focus on client-side security.
For example, requirement 6.3.2 now mandates that companies identify and list all their software, including any third-party software embedded in their environment. Requirement 6.3.3 requires updates for known vulnerabilities using available security patches and updates. Requirement 6.4.1 directs businesses to address new threats and vulnerabilities associated with public-facing web applications and address all known threats.
Additionally, requirement 6.4.2 states that automated public-facing web applications should be configured correctly to detect and prevent web-based attacks. It also notes that configurations should be actively running, up to date, and able to block attacks or generate alerts indicating a potential issue. Finally, requirement 6.4.3 requires organizations to authorize any scripts loaded and executed in a customer's browser.
Additionally, sections 11 and 12 have implications for client-side security, including identifying, prioritizing, and addressing external and internal vulnerabilities and detecting and responding to network intrusions and unexpected file changes.
The requirements included in PCI DSS 4.0 could do much to help improve client-side security. Although traditional security controls, like web application firewalls, protect against some online threats, they do not extend coverage to the customer's browser. Consequently, sophisticated skimming malware, supply chain attacks, sideloading, and chainloading attacks often go undetected, leaving businesses vulnerable.
While a content security policy can help ensure compliance, creating and maintaining one without automation is only feasible if your web applications and website usage remain stable. In dynamic environments, a CSP often fails, and determining why it failed may be impossible due to the lack of a functioning solution.
To comply with the upcoming PCI DSS 4.0, businesses must start making changes. That includes figuring out which web assets they have and where they come from, examining code, and following the best practices set by PCI 4.0. This could pose a problem for large businesses with thousands of lines of scripts in use. For these companies, allocating time to sift through and label lines of code could take thousands of hours.
Along those lines, businesses should consider using modern security solutions to help them with PCI 4.0 compliance. Automated content security policies can detect all first-party and third-party scripts, digital assets, and the data they can access. They can then generate relevant content security policies. Organizations can also stop unauthorized or unwanted web activity, such as blocking cardholder data from being exported, for example, by using monitoring and management tools.
The changes in the 4.0 version of PCI DSS mean that online businesses must take extra steps to ensure their customer data is secure. Companies that want to stay ahead of the compliance curve should start making changes now, which includes addressing pervasive client-side security risks before attackers can exploit them.