The PCI Security Standards Council (PCI SSC) recently released new guidance to address emerging threats to e-commerce payment channels, specifically focusing on mitigating E-skimming attacks. This summary provides key insights from the updated information on Requirements 6.4.3 and 11.6.1, clarifying applicability and outlining enhanced security measures for merchants and service providers.
If you’re an SAQ A merchant, we’re delivering a summary of what is found in that guidance and an attempt to clarify some of the remaining confusion surrounding these two requirements.
CampusGuard has published separate guidance for more complex merchants completing SAQ A-EP, SAQ D, or a ROC, and for service providers using SAQ D-SP or undergoing a ROC assessment.
Eligibility criteria added for e-commerce channels in SAQ A r1
The merchant has confirmed that their site is not susceptible to attacks from scripts that could affect the merchant’s e-commerce system(s).
Applicability for SAQ A Payment Channels
In addition to the new information supplement, PCI SSC has provided FAQ 1588 to help explain how a merchant can apply controls to meet the new eligibility criteria in SAQ A r1 after the removal of requirements 6.4.3 and 11.6.1. In both documents, there are essentially two methodologies that are addressed.
Redirects or Fully Outsourced
FAQ 1588: “The above SAQ A eligibility criteria does not apply to e-commerce merchants with a webpage that redirects customers from the merchant’s webpage to a [third-party service provider] TPSP/payment processor (for example, including but not limited to, with an HTTP 30x redirect, a meta redirect tag, or a JavaScript redirect) or e-commerce merchants that fully outsource payment functions to a TPSP/payment processor (for example, by providing customers with an email with a link to a TPSP’s website to pay).”
Based on the guidance provided, any merchant that uses a redirect mechanism or a direct hyperlink to send customers to a TPSP/payment processor can skip the new eligibility criteria.
Embedded Payment Page/Form
FAQ 1588: “…SAQ A eligibility criteria only applies to e-commerce merchants with a webpage that includes a TPSP’s/payment processor’s embedded payment page/form (for example, one or more inline frame(s) (iframes)).”
Based on this guidance, any merchant that is using any method of embedding a TPSP’s/payment processor’s payment page/form will need to meet the expectations found in the new eligibility criteria to continue to use the SAQ A r1 for attestation of this payment channel.
For those merchants using embedded payment pages/forms, PCI SSC offers two distinct options.
According to FAQ 1588, “The merchant can confirm that the merchant’s webpage is not susceptible to script attacks by either:
- Using techniques such as, but not limited to, those detailed in PCI DSS Requirements 6.4.3 and 11.6.1 to protect the merchant’s webpage from scripts targeting account data. These techniques may be deployed by the merchant or a third party.
Or
- Obtaining confirmation from the merchant’s PCI DSS compliant TPSP/payment processor providing the embedded payment page/form(s) that, when implemented according to the TPSP’s/payment processor’s instructions, the TPSP’s/payment processor’s solution includes techniques that protect the merchant’s payment page from script attacks.”
Final Thoughts
For any merchant that is eligible for the reduced SAQ A r1, the new eligibility criteria only apply if they are using an embedded payment page/form, such as an iframe, provided by a TPSP/payment processor.
All other payment channel models eligible for the SAQ A r1 can skip the new eligibility criteria. Also, keep in mind that any merchant relying on a TPSP to host/administer the e-commerce “front-end” web server would not be directly liable for SAQ A’s technical controls.
In these cases, such a TPSP would be fully managed under PCI DSS requirements 12.8.1 through 12.8.5, which would inherently include verification that the TPSP had implemented and was appropriately managing all relevant security controls.
CampusGuard’s ScriptSafe solution strengthens your organization’s compliance with PCI DSS requirements 6.4.3 and 11.6.1 by safeguarding cardholder data from payment page browser scripts. It ensures script integrity by detecting and preventing unauthorized modifications while reviewing and validating scripts in real-time. Request a demo to see it in action!
