Access the On-Demand Webinar here
Avoid a $100,000 monthly compliance disaster
March 31, 2025: The clock is ticking. What happens when a script that is often overlooked is a non-compliance fine that costs $100,000 per month? PCI DSS V4 is coming and you need to prepare a company to process your payment card data.
Beyond the fines, non-compliance exposes businesses to web skimming, third-party script attacks, and new browser-based threats.
So, how do you prepare on time?
Reflectiz sat down with Abercrombie & Fitch (A&F) for an unbanned discussion about the toughest PCI DSS V4 challenges.
Kevin Heffernan, director of risk at A&F, shared actionable insights:
What worked (and saved $$$) didn’t want what they knew before (and costs and resources)
Check out the whole fut PCI DSS V4 webinar now
(Free on-demand access – Learn from A&F compliance experts)
What’s changing with PCI DSS v4.0.1?
PCI DSS V4 introduces stricter security standards, particularly for third-party scripting, browser security and continuous monitoring. Two of the biggest challenges for online merchants are requirements 6.4.3 and 11.6.1.
Requirement 6.4.3 – Payment Page Script Security
Most companies rely on third-party scripts for checkout, analysis, live chat and fraud detection. However, attackers exploit these scripts to inject malicious code into the payment page (MageCart-style attack).
New PCI DSS V4 Mandate:
Script Inventory – You must record and justify all scripts loaded into the user’s browser.
Integrity Management – Companies need to verify the integrity of all payment page scripts.
Approval – Only approved scripts must run on the checkout page.
How A&F worked on it:
A script audit was conducted to identify unwanted or dangerous third-party dependencies. I used Content Security Policy (CSP) to restrict third-party scripts. We used smart automated approvals to save time and money.
Requirement 11.6.1 – Changes and Tamper Detection
Even if today’s scripts are safe, attackers can inject malicious changes later.
New PCI DSS V4 Mandate:
Mechanism – The development of continuous changes and tamper detection mechanisms for changes to the scripts of payment pages.
Incorrect Changes – HTTP header monitoring detects incorrect changes.
Integrity – Weekly consistency checks (or more frequently based on risk levels and compromise metrics).
How A&F worked on it:
Continuous monitoring has been deployed to detect fraudulent changes. Security information and event management (SIEM) was used for centralized monitoring. I created automatic alerts and batch approvals for scripts, structures and header changes on the checkout page.
Try Reflectiz PCI Dashboard – 30 Day Free Trial
Recent Updates: Clarification of SAQ A Waiver
A recent explanation from the PCI Council states the following regarding SAQ A Marchants: [self-assessment questionnaire]:
Eligibility requirements: Merchants must ensure that they are not affected by script attacks that affect the e-commerce system. Compliance Options: Implement protection techniques (such as PCI DSS requirements 6.4.3 and 11.6.1) directly or through a third party, or get confirmations from a PCI DSS-compliant service provider. Exemption: Merchants who redirect customers to payment processors or outsource payment functions entirely are not subject to this requirement. Recommendations: Merchants should consult their service provider about secure implementations and verify with the acquirer that SAQ A is suitable for the environment.
Please note that even if you are eligible for SAQ A, you will still need to protect your entire website. Many businesses still need real-time monitoring and alerting, so a full compliance solution is relevant regardless.
Top 3 PCI DSS V4 Pitfalls (and how to avoid them)
With multiple payment pages to protect around the world, Abercrombie and Fitch’s compliance journey was complicated. Risk Director Kevin Heffernan suggests three major mistakes online merchants often make:
Miss #1: Relying only on CSP
Content Security Policy (CSP) helps to prevent script-based attacks, but does not cover dynamic changes to scripts and external resources. PCI DSS requires additional integrity verification.
Mistake #2: Ignore third party vendors
Most retailers rely on external payment gateways, chat widgets, and tracking scripts. If these vendors do not follow you, you are still responsible. Periodically audit third party integrations.
Mistake #3: Treat compliance as a one-time fix
PCI DSS V4 requires continuous monitoring. This means you can’t audit the script once and forget it. Continuous monitoring solutions are important to compliance.
Try the Reflectiz PCI Dashboard in a 30-day free trial.
Final takeout from A&F’s PCI compliance journey
Risk assessment first – before jumping to compliance changes that identify and map vulnerabilities, supply chain risks, and component misconceptions. Ensure payment page scripts – configure strict HTTP security headers such as CSP.Monitors – integrating third-party scripts and integrations before replenishing attackers before using continuous monitoring, SIEM, and tamper detection alerts – Compliance responsibility doesn’t stop at the firewall.
The deadline for March 31, 2025 is closer than you think
If you start too long, you create a security gap and are risky. The A&F experience shows why early preparation is important.
Avoid costly pci fines – Check out the PCI DSS V4 webinar. Learn how major global retailers have worked on compliance and what they can do today to avoid fines and security risks.
Try the Reflectiz PCI Dashboard in a 30-day free trial.
Source link
