Are You Outsourcing eCommerce?
Our recent article PCI SSC Updates SAQ A: Removal of Key E-Commerce Security Requirements & New Eligibility Criteria outlined significant requirement updates – who this affects and next steps. These requirements are still part of PCI DSS v4.0.1 and the March 31, 2025 deadline. However, SAQ type A merchants are no longer required to validate compliance with them, as long as they meet the new eligibility criteria. Even though SAQ A removes specific security controls, merchants must still ensure their site is protected from script-based threats that could impact their eCommerce systems. This is specifically a focus for those that outsource their ecommerce environment to a third party service provider (TSPS).
What Does This Mean For Me?
With the SAQ-A eligibility criteria update, our PCI team is getting more questions from businesses who outsource their ecommerce operations – asking how can they satisfy the new criteria. The PCI update indicates if a merchant can confirm that their site is not susceptible to attacks from scripts that could affect the merchant’s e-commerce system(s), these requirements may not be applicable to them. The HALOCK team reviewed these requirements further, to help organizations understand where they are applicable.
How is A ‘Payment Page’ Defined?
Requirements 6.4.3 and 11.6.1 use the terms, ‘payment page scripts’ and ‘payment pages’. Basically, these are pages that accept credit card information.
These definitions can be found in PCI DSS 4.0.1’s glossary:
Payment Page: A web-based user interface containing one or more form elements intended to capture account data from a consumer or submit captured account data, for purposes of processing and authorizing payment transactions. The payment page can be rendered as any one of:
- A single document or instance,
- A document or component displayed in an inline frame within a non-payment page,
- Multiple documents or components each containing one or more form elements contained in multiple inline frames within a non-payment page.
Payment Page Scripts: Any programming language commands or instructions on a payment page that are processed and/or interpreted by a consumer’s browser, including commands or instructions that interact with a page’s document object model. Examples of programming languages are JavaScript and VB script; neither markup-languages (for example, HTML) or style-rules (for example, CSS) are programming languages.
The wording in Requirement 6.4.3 also states this applies to all payment page scripts – ‘all payment page scripts that are loaded and executed in the consumer’s browser are managed’.
Ultimately, the new requirements surface crucial responsibility in a nuanced regulation. Who is taking the responsibility of their payment page security for outsourced ecommerce environments – which include redirects and iframes?
What Should I Do?
If your organization outsources your ecommerce environment, we recommend meeting with your eCommerce third party service provider to verify they are taking the security responsibilities for these payment page script requirements. If you are a third-party service provider, we recommend updating your PCI DSS responsibility documentation to help your clients understand their responsibilities for these requirements.
Our team has also started going back to those third-party service providers (that marked these requirements N/A until 4/2025) to verify they are expecting to take on these requirements for their merchant customers.
Why?
As a merchant your ultimate goal should be to understand who is taking responsibility for these requirements before the March 31, 2025, deadline.
Reference Material – Updated SAQ A
By Viviana Wesley, PCI QSA, ISO 27001 Auditor, CISM
Principal Consultant, Governance, Compliance and Engineering Services
