The latest version of the PCI DSS (Payment Card Industry Data Security Standard) is version 4. We are currently in the transition period following the publication of the new standard, heading towards full implementation.
When will v4 become required?
V4 was published in March 2022 and becomes effective as of March 2025.
How does this affect site owners?
For ecommerce website owners, key changes include a number of updates relating to the handling of scripts loaded on the website.
The changes are seen largely as a response to the Magecart-style “formjacking” attacks made famous in recent years with a long string of high-profile and costly breaches that, in some cases, resulted in massive fines for site owners.
Using RapidSpike
To assist site owners we have added a new dashboard aimed at supporting PCI DSS 4.0 compliance. The dashboard can be found by visiting a website in your account; you’ll see PCI & GDPR AUDIT in the sidebar.
As long as you have sufficient monitoring set up for the site (we recommend at least a Google Lighthouse, User Journey or Page Load monitor), you will be able to view the dashboard.
The dashboard is split into two views:
- JavaScript Inventory
- Content Security Policies
Loading the JavaScript inventory will display all script files found on your website, their path and the last time they were seen. The more monitoring you have enabled, the more we will be able to identify.
Scripts are split into two sections: first-party scripts (files loaded from your own website) and third party vendor scripts – files which have been loaded by third parties, such as plugins, live chat, advertising and more.
It can often be surprising how many scripts are loaded by a single site – and in particular the files loaded by third parties – many of which will load multiple files. Sometimes third parties will even chain in additional third parties you were unaware of as they load assets onto your site.
How does tracking JavaScript support PCI DSS 4.0 compliance?
Section 6.4.3 of PCI DSS 4.0 details the requirement for management of all payment page scripts that are loaded and executed in the consumer’s browser.
The section stipulates that “An inventory of all scripts is maintained with written justification as to why each is necessary.”
From our dashboard you can generate a PDF or CSV report of the scripts loaded.
Monitoring Content Security Policies for PCI DSS 4.0
The second dashboard we have added includes a review of Content Security Policies on your site.
Section 6.4.3 of PCI DSS 4.0 also states “A method is implemented to confirm that each script is authorized.”
Many site owners rely on Content Security Policies (CSPs) to manage authorisation of scripts and other content from cross-site sources. To help support this effort, we are able to provide a summary of CSP advice and also report on any issues detected during monitoring. Again, the more monitoring you have in place the fuller the picture we can present.
Any CSP errors found on pages we monitor will be listed on the dashboard so you can review and understand why policies may need amending. As with the JavaScript inventory, you can generate a PDF or CSV report based on the dashboard.
We have created this dashboard to assist website owners with PCI DSS 4.0 compliance, if you would like any assistance with the dashboards, please contact your Account Manager or message us on Live Chat today.
