How New Pci Standards Will Change Online Security For Retailers

As e-commerce has grown, so too has the number of bad actors looking to exploit security weaknesses to steal credit card data, also known as e-skimming.

Future-dated requirements that come into effect in March 2025 will help to protect consumers and retailers alike, but online merchants must implement a series of new security measures to ensure compliance.

Each year, thousands of card details are stolen in online card transactions - even on well-known and big-brand websites. Hackers are becoming increasingly sneaky, so even if a merchant’s card capture form is secure, they can exploit security weaknesses elsewhere on a website and intercept sensitive data before it even reaches the merchant’s secure payment form.

That’s why the new PCI DSS 4.0.1 safety standards require retailers to secure their entire website. Reputable payment platforms meet the highest standards of payment security, which reduces the scope of compliance efforts for retailers.

However, there are still a few steps merchants need to take to ensure that their site is fully compliant.

PCI what?

Payment Card Industry Data Standards (PCI DSS) refers to a set of standards that retailers must comply with - no matter their size. The standards are updated from time to time, and the latest version, PCI DSS 4.0.1, has some future-dated requirements that come into effect at the end of March 2025.

PCI DSS 4.0.1 enforces stricter security measures for the entire site to prevent attacks like e-skimming and to ensure secure payment processing.It is designed to enhance the security of cardholder data by adopting a comprehensive approach to security measures and access controls.

This means that merchants are responsible for securing every part of the payment flow, ensuring that both the payment form and the hosting web environment are protected.

PCI DSS 4.0.1 has stronger password and multi-factor authentication requirements. It also has improved security practices, with updates for e-commerce security and third party risk management.

It is more flexible, with more customised approaches to compliance, and comes with improved guidance and examples.

What does this mean for retailers?

The new requirements oblige merchants to take a more active role in securing payment pages, and proactively monitoring for signs of compromise. In particular, there are two requirements which merchants need to act on before the end of March 2025.

Firstly, merchants have to keep track of all their (software) scripts, even those from third parties. All scripts have to be authorised and merchants need to ensure that they haven’t been tampered with. Testing for unauthorised scripts is mandatory.

This is essential because attackers can compromise third-party scripts to steal card data directly from customers’ browsers.

Secondly, merchants need to monitor payment pages for unexpected changes to things like code or even the way the page is displayed in the browser. Merchants need to set up alerts to notify them of suspicious activity to detect and respond to attacks more quickly.

This is important because attackers are able to modify web pages to redirect customers to fake sites, or to steal their data.

PCI requirements become more rigorous depending on a merchant’s transaction volumes, with levels broken down as follows:

• Level 1: Over 6 million transactions per year
• Level 2: 1-6 million transactions per year
• Level 3: 20,000-1 million transactions per year
• Level 4: Fewer than 20,000 transactions per year

Next steps for retailers

Think of your website security the same way you would your home security. Each time you leave your house, you lock the doors and close the windows, and probably set an alarm system.

Ensuring your website is PCI DSS 4.0.1 compliant essentially locks the doors and windows on your website, and guards against e-skimming. It’s imperative that you comply to protect your customers and your business.

Some helpful next steps:

• Determine your compliance level: Your PCI DSS scope (the extent to which you need to comply with the standard) is determined by how you handle cardholder data.
• Understand the requirements by reviewing the PCI DSS v 4.0.1 (Available for download through the PCI Security Standards Council.)
• Assess your current security level by identifying gaps and areas for improvement
• Implement necessary security controls based on your chosen integration method.
• Document your compliance efforts, which requires you to maintain records of policies, procedures, and assessments.
• Regularly monitor and maintain compliance

For some retailers, this may all seem quite foreign. The first step is to speak to your webmaster about what needs to be done.