BankInfoSecurity.com reported that “…the rollout of the Payment Card Industry’s Data Security Standard in force since April 1. PCI DSS – now at version 4.0.1 – introduces a raft of refinements aimed at locking down payment card security, but modified hardline requirements for merchants to vouchsafe the scripts running on their websites and browser security.” The April 15, 2025 article entitled “The Unbearable Drama of a PCI DSS Standard Rollout” (https://tinyurl.com/yrmy4fty) included these comments:
Malicious scripts loaded into e-commerce pages are a legitimate problem. The data skimming hackers who perform “Magecart” attacks reached new heights of sophistication during 2024, craftily deploying scripts to avoid detection or deliver bespoke malware to e-commerce websites, found cybersecurity firm Recorded Future.
The latest specification tries to get ahead of that, initially by requiring merchants to verify the integrity of all scripts, ensuring they’re authorized and inventorying and justifying all scripts in use.
Uproar ensued. Large merchants might run thousands of scripts at a time. Many smaller merchants use script-laden third-party software entirely out of the box and have no visibility into what those scripts are doing or why.
Another new requirement required monitoring for and responding to unauthorized payment page changes, including “to the security-impacting HTTP headers and the script contents of payment pages.” Given how modern web pages are assembled on the fly from numerous sources, the only way to detect malicious activity is in the browser itself, PCI said.
Since the credit card companies control PCI everyone in the world is affected!
First published at https://www.vogelitlaw.com/blog/credit-card-processing-under-pci-dss-40-will-not-be-that-easy