PCI DSS v4.x

New Guidelines for Safety Requirements in e-Commerce in PCI DSS v4.x

PCI DSS v4.x Security in e-Commerce

PCI DSS v4.x

The PCI Security Standards Council (PCI SSC) is working on the development of new guidelines to help interested parties to understand and implement the new security requirements for e-commerce included in version 4.x standard PCI Data Security Standard (PCI DSS). These guidelines are designed to address the complexity that many entities, including traders who validated by the Self-assessment questionnaire (SAQ) TO, face in attempting to comply with these requirements.

Why are important of these new guidelines?

The requirements of e-commerce security are crucial to protect businesses against cyber threats, which have grown exponentially in recent years. In particular, the controls listed in the requirements 6.4.3 and 11.6.1 considered fundamental to mitigate the vulnerabilities in environments of e-commerce and prevent data breaches that could have serious financial consequences and reputational.

With an effective implementation date for the 31 march 2025these measures are part of the 64 future requirements that are part of the updated framework of PCI DSS v4.x. To ensure that the organizations are prepared, the PCI SSC has established a specialised working group to develop a practical guide and specific to facilitate its implementation.

What will the new guide of e-commerce?

The guide, which is expected to be published at the beginning of 2025, aims to provide:

  1. Clear guidance and actionable- Entities will receive detailed information on how to comply with the requirements 6.4.3 and 11.6.1, adapted to the needs and challenges of e-commerce.
  2. Support for service providers: The external providers will have specific guidelines about how they can help their customers comply with these safety standards.
  3. Practical strategies for implementation: In place of theoretical approaches, the guide will focus on tactics specific to integrate these controls in real-world operations.

What are the requirements 6.4.3 and 11.6.1?

Although the technical details will be covered in depth in the guide, here we present an overview of the two key requirements:

  • Requirement 6.4.3: Focuses on the safe management of changes in the environment of e-commerce, ensuring that any changes in the systems to be evaluated and controlled to avoid vulnerabilities.
  • Requirement 11.6.1: Is the detection of unauthorized changes to critical systems, e-commerce, which means to monitor and quickly respond to suspicious activities.

Both controls are designed to strengthen e-commerce security against targeted attacks to expose sensitive information from payment cards.

The importance of collaboration in the development of the guide

The E-commerce Guidance Task Force, in charge of developing the guide, is composed by a wide range of experts of the security ecosystem of payments, including:

  • Representatives of payment brands.
  • Members of the Technical Advisory Council and the Board of Directors.
  • Specialized groups such as the Global Executive Assessor Roundtable (GEAR) and the Small Merchant Business Task Force.

This collaboration ensures that the guidance reflects best practices and the perspectives of multiple sectors, from small businesses to large corporations.

What can business do while waiting for the guide?

The PCI SSC recommends that merchants and service providers:

  1. Familiarize yourself with the requirements 6.4.3 and 11.6.1: Although the specific guidance is not yet available, it is crucial to understand the fundamentals of these controls.
  2. Collaborate with providers of reliable services: To identify partners that are ready to support in the implementation of the requirements.
  3. Evaluate their environments of e-commerce: Perform risk analysis and review of the current policies to identify areas of improvement.

Conclusion

Progress towards PCI DSS v4.x represents a significant step to strengthen the security in e-commerce, especially in the face of a threat landscape in constant evolution. The organizations that adopt these measures will be better prepared to protect the sensitive information of their clients and comply with global safety standards.

With the launch of this new guide in 2025, both merchants and service providers will be provided with practical tools to implement the necessary controls, as well as strengthening the trust in the ecosystem of digital payments.

For more information, you can visit the official source: PCI Security Standards Council.

We invite you to know all the contents of our BLOG

Entradas relacionadas

logo_Colombia_Mesa de trabajo 1 copia

We are a company specializing in the security of digital payments with a presence in Latin america and the Caribbean

Linkedin Youtube

About

Services

Contact

Calle 118 # 19-52 office 206 Bogotá, Colombia

(+57) 317 485 8175 (+57 601) 658 2968