Source: PCI Security Standards Council, “Guidance for PCI DSS Requirements 6.4.3 and 11.6.1,” Version 1.0, March 2025. Purpose: To provide supplemental information and guidance to merchants and third-party service providers (TPSPs) on meeting PCI DSS Requirements 6.4.3 and 11.6.1, which address the growing threat of e-skimming attacks on e-commerce payment pages. This document does not…
In a significant move aimed at simplifying compliance requirements and streamlining merchant classifications, Visa has recently announced the consolidation of its Merchant Levels 3 and 4 into a single category, now referred to as Level 3. This change is part of Visa’s ongoing efforts to adapt to the evolving payment landscape and make compliance more…
Two encryption methods stand out when securing payment card data: Point-to-Point Encryption (P2PE) and End-to-End Encryption (E2EE). Both methods aim to protect sensitive information, yet they vary significantly in their implementation, validation processes, and ability to limit exposure. It is essential for businesses to grasp these distinctions in order to improve security and uphold PCI…
Artificial Intelligence (AI) has become a double-edged sword in the realm of credit card networks. On one hand, it empowers financial institutions to detect and prevent fraud with unprecedented speed and accuracy. On the other hand, cybercriminals are leveraging AI to develop sophisticated techniques to exploit vulnerabilities in payment systems. This duality has created a…
JavaScript skimming attacks like Magecart continue to plague e-commerce businesses, targeting payment pages to steal sensitive customer data. To address this growing threat, PCI DSS v4.0 introduced Requirement 6.4.3, which focuses on managing and securing payment page scripts executed in the consumer’s browser. This requirement is also reflected in the updated SAQ A and A-EP, emphasizing…
As the March 31, 2025, deadline for PCI DSS 4.0.1 compliance approaches, businesses handling payment card data must align their security practices with the new requirements. This is part 3 of the Understanding the New PCI DSS v4.x Compliance Requirements series, if you missed the post about requirement 3 you can read it here. Requirement…
With the new deadlines approaching quickly, I wanted to do a deep dive into each of the changes that have already gone into effect and those that will go into effect on March 31, 2025. Over the next few weeks, I will break down each requirement into its own article. The Payment Card Industry Data…
Navigating the complexities of PCI (Payment Card Industry) compliance can be daunting, especially when it comes to determining the right scope for your PCI assignment. Whether you’re a seasoned professional or just starting out, understanding the scope of your PCI assignment is critical to protecting cardholder data and achieving compliance. Did you know that improper…
The landscape of credit card fraud is constantly evolving, with criminals devising increasingly sophisticated methods to steal customer financial information. For merchants, these evolving threats pose a significant challenge, demanding a proactive approach to data security. Two particularly concerning methods are credit card skimming and shimmering, both capable of compromising sensitive information and eroding customer…
A vulnerability has been reported in the e-commerce software called osCommerce. osCommerce is an open source e-commerce solution for running an online store front with minimal effort and cost. The attack takes advantage of multiple vulnerabilities and insecure configuration settings with osCommerce installations. As a result, an attacker is able to take complete control and/or plant…
