The publication of the new version 4.0 of the PCI DSS in March 2022 has brought about not only terminological sharpening but also new content-related requirements that affect the performance of ASV scans. Until 01.04.2024, version 3.2.1 of the PCI DSS will remain valid alongside version 4.0. During this transition period, organizations have the choice of providing their compliance verification under v3.2.1 or v4.0. The regulations require companies to have their ASV scan performed according to the PCI DSS version under which they demonstrate their PCI compliance.
We have adapted our scanning environment on the usd PCI DSS platform so that you can already perform your ASV scans in line with a PCI compliance verification according to v4.0.
What are ASV Scans?
Requirement 11.3.2 of PCI DSS v4.0 requires organizations that meet certain criteria to have external vulnerability scans performed by a PCI SSC Approved Scanning Vendor (ASV) at least once every three months and after significant changes to their environment. Companies whose card data-processing IT systems are externally accessible from the public internet because they either store, process, or forward credit card data, or otherwise have a direct impact on the security of payments, are required to have scans performed.
Learn more about ASV Scans here.
New Scan Component: Payment Page Scripts
With PCI DSS v4.0, two new requirements have been introduced that relate to the security of 'payment page scripts' used for payments via payment pages.
What are Payment Page Scripts?
A payment page is a web form in which the cardholder enters his full card number (PAN) to make a payment. Payment page scripts are scripts that are embedded on such a payment page. They can come from the merchant itself, the payment service provider or from third-party providers. The functions of such scripts are diverse and include, for example, the generation of an iFrame or the control of a redirect as part of the payment. It is also possible that they are scripts that check the correct entry of card data or are used for advertising purposes, statistics or design. Regardless of their functions, what all these scripts have in common is that they can be loaded or executed on the page, making them a relevant factor in card payment security. Payment page scripts are particularly vulnerable to web skimming attacks.
PCI DSS Requirements for Payment Page Scripts
Requirement 6.4.3 of PCI DSS v4.0 stipulates that only absolutely necessary scripts may be executed on the payment page. To ensure secure administration, all scripts must also be inventoried, authorized and checked for integrity. For each script, a justification must also be provided as to why it is being included on the Payment Page.
Requirement 11.6.1 requires that measures are taken to detect unauthorized changes to the content of the payment pages or the HTTP header at an early stage. For this purpose, an alarm must be triggered at the merchant/service provider when changes are detected.
For the full requirements, please refer to the PCI SSC Document Library.
ASV Scans According to PCI DSS v4.0 Are Now Available on the usd PCI DSS Platform
In order to support you with your PCI DSS compliance proof as usual, we have adapted our scan environment so that you can decide with each scan whether it should be performed according to PCI DSS version 3.2.1 or 4.0. If you already prove your PCI DSS compliance according to version 4.0 and accordingly need an ASV scan for a proof of compliance under v4.0, you will now be asked on our PCI DSS platform about the security of embedded payment page scripts. If you use such scripts, you will be required to securely integrate them in accordance with PCI DSS requirements from April 1st, 2025 at the latest. Since the secure integration of payment page scripts is a recommendation and not an obligation until then, we give you the opportunity to declare this as best practice in the meantime in accordance with the PCI DSS requirements.
More information on the transition phase and ASV scan planning for PCI DSS v4.0 can be found in the usd PCI DSS Platform Help Center.