Organizations processing credit card transactions and related information must protect this data by complying with PCI DSS. Two new requirements in the most recent DSS edition can be hard to follow, but careful implementation of specialized software makes PCI compliance achievable.
Is your organization ready for seamless PCI compliance? Schedule a consultation to find out!
PCI 4.0 Requirements 6.4.3 and 11.6.1, Explained
The Payment Card Industry (PCI) Data Security Standard (DSS) is a compliance framework that applies to most merchant and service providers who process credit card payments or related data. Its most recent edition, PCI DSS Version 4.0.1, has two new Requirements that many organizations may find challenging, even if they’ve complied before. Meeting these requirements involves:
- Understanding the broader context for these new requirements
- Following the exact specifications for PCI-compliant script scanning
- Meeting the exact specifications for PCI-compliant change detection
- Accounting for other challenges and considerations for PCI compliance
Working with a PCI advisory partner is the best way to ensure seamless long-term compliance.
Context and Prerequisites for New PCI Requirements
Understanding the broader context surrounding these new PCI requirements will make it clearer exactly how they fit into the whole of PCI compliance. It also clarifies what other protections you need to have in place in addition to or before these controls as you prepare for a PCI DSS audit.
The DSS is governed by the Security Standards Council (SSC) of the PCI. The SSC’s leadership, including Visa, Mastercard, American Express, JCB International, UnionPay, and Discover, enforces these rules. They apply to organizations that collect, store, transmit, or otherwise come into contact with cardholder data (CHD). Specifically, they govern hardware and software maintained by these organizations, which collectively make up the cardholder data environment (CDE).
In practice, this means that all systems connected to CHD need to be protected via all 12 PCI Requirements and their specifications to avoid enforcement by your credit services provider.
Requirement 6.4.3 Breakdown and Considerations
PCI DSS Requirement 6.4.3 falls under Requirement 6, “Develop and Maintain Secure Systems and Software.” More particularly, it is a specification of sub-requirement 6.4, which mandates controls to protect public-facing web applications from attacks. Other parts of Requirement 6.4 mandate threat management (6.4.1) and automated protection from web-based attacks (6.4.2).
Requirement 6.4.3 applies specifically to scripts used on web apps, mandating the following—
- Manage payment page scripts loaded or executed in consumers’ browsers such that:
- Methods are implemented to confirm that all scripts are authorized
- Implement methods to ensure the integrity of every script
- Scripts are inventoried with business or technical justifications
These specifications can be challenging because of the dynamic nature of scripts operating on websites organizations manage either directly or in conjunction with a variety of third parties.
The dynamic nature of scripts makes script scanning essential to PCI 4.0 compliance.
Implementing PCI-Compliant Script Scanning Solutions
Scanning for authorization, integrity, and justification across scripts on payment pages requires robust visibility and reporting infrastructure. Organizations must maintain constant visibility into the scripts running on their systems. Any deviation from PCI protections, no matter how slight or momentary, can cause a data breach or other violation.
To that effect, one approach to script scanning is to focus threat and vulnerability management monitoring on scripts specifically. Setting up scans at regular intervals (i.e., daily) and checking all scripts against these PCI rules allows organizations to identify and address deviations as soon as possible. When an unidentified script is found, it needs to be flagged and potentially removed as soon as possible. And, for organizations with unique IT infrastructure, like heavy reliance on open source code, niche tools like open source scanning (OSS) should be used.
Requirement 11.6.1 Breakdown and Considerations
PCI DSS Requirement 11.6.1 falls under Requirement 11, “Test Security of Systems and Networks Regularly.” It is the first and only specification within Requirement 11.6, which mandates detection and response for any unauthorized changes across all payment pages.
On a granular level, Requirement 11.6.1’s mandates break down as follows—
- Deploy a change and tamper detection system such that:
- “Personnel must be alerted to” unauthorized modifications (i.e., indicators of compromising or suspect changes, deletions, and additions) that impact security-related HTTP headers and script contents of payment pages.
- Configure mechanisms to evaluate HTTP headers and payment pages.
- These mechanisms must function at least weekly or at intervals determined through risk analysis, per PCI DSS Requirement 12.3.1.
As with scripts, changes across an organizational IT system and tech stack can be extremely dynamic and complex. Ensuring that every single change is secure can be a herculean task.
Implementing PCI-Compliant Change Detection Solutions
Change management starts with change monitoring, which requires visibility infrastructure—just like script scanning. Systematic approaches to monitoring for and managing changes include File and Integrity Monitoring (FIM) and Security Information Event Management (SIEM). These systems incorporate monitoring and reporting on changes and security-relevant information, respectively, into all phases of security program design and architecture implementation.
However, other elements that come into play are more fundamental processes like patch management. Organizations need to have a system for identifying, vetting, and streamlining updates and security patches, and they should include monitoring for PCI-relevant changes alongside other general security concerns. In addition, implementing robust Third Party Risk Management (TPRM) ensures that changes made across your network of strategic partners remain authorized and compliant—and that all stakeholders who need to know about them do.
Other PCI DSS 4.0 Compliance Considerations
Of course, these two new PCI Requirements are not the only challenges of achieving or maintaining compliance with version 4 of the DSS. There are many other new specifications across the 12 Requirements, and the ones that remained unchanged from prior versions still involve challenges for organizations looking to comply for the first time. All controls need to be implemented. Then you’ll either need to fill out a Self-Assessment Questionnaire (SAQ) or work with a Qualified Security Assessor (QSA) to generate a Report on Compliance (ROC).
Many organizations follow a yearly cadence, preparing for annual assessments in the weeks and months leading up to last year’s documentation expiring. A much more effective approach that minimizes crunch is continuous compliance assessments and PCI as-a-Service (PICaaS).
In these deployments, a trusted PCI advisory organization will work with you on a steady basis throughout the year to ensure you’re ready for assessments with minimal stress on the day of.
Achieve and Maintain PCI Compliance Efficiently
Ultimately, PCI Requirements 6.4.3 and 11.6.1 are just two of the many specifications you’ll need to meet to comply with Version 4.0 of the DSS. Covering them requires installing script scanning and change management protections that maximize your visibility and control. The best way to do that is to work with a PCI compliance services provider—like RSI Security.
RSI Security is a PCI QSA and Approved Scanning Vendor (ASV). We’ve helped countless organizations prepare for, achieve, and maintain PCI compliance efficiently. We believe that discipline up-front unlocks greater freedom down the road. We’ll help you rethink your cyberdefense implementation and management for a streamlined compliance process.
To learn more about the PCI requirements and how to comply, contact RSI Security today!
Contact Us Now!