The Schellman Blog

The Payment Card Industry Security Standards Council has released a major revision of the PCI Secure Software Standard (PCI SSS), moving from v1.2.1 to v2.0. This isn't an incremental update but rather a fundamental restructuring that reflects how software security has evolved in today's interconnected digital landscape.

Managing scripts on payment pages has become a key focus area under PCI DSS, particularly as third-party and dynamically loaded scripts introduce new risk. As attacks targeting client-side scripts continue to increase and PCI DSS v4.x places greater emphasis on ongoing monitoring, organizations are expected to demonstrate not only visibility into payment page scripts, but also effective controls to detect unauthorized changes.

As organizations continue to transition to PCI DSS v.4.x, they encounter updated requirements for authentication, especially considering the emerging phishing-resistant technologies like passkeys. To help clarify these changes, the PCI Security Standards Council has released two key FAQs: FAQ 1595 and FAQ 1596, offering valuable insights into the use of passkeys, FIDO2-based authentication, and their alignment with multi-factor authentication (MFA) and phishing-resistant protocols.

Imagine your computer account is like your house in that you need specific keys to get inside where all your valuables are kept. For years, people relied on simple door locks only requiring one key - like a password, as their main form of security. But clever thieves, known as "phishers," have become really skilled at tricking people into handing over copies of their keys (stealing passwords, codes, and authentication tokens). This growing threat has prompted the need for newer and stronger methods of authentication in payment security, such as phishing-resistant authentication.

Transport Layer Security (TLS) is a cryptographic protocol that encrypts data, authenticates connections, and protects the data in transmission. As time passes, new versions of TLS are released to strengthen defenses and maintain an advantage of the constantly evolving threat landscape. Understanding these updates is essential for anyone managing secure systems or handling sensitive data online.

In our digital economy, online shopping has become second nature for consumers worldwide. Yet behind the seamless checkout experiences that we've come to expect lies a complex security challenge that merchants must navigate. With the rise of e-commerce payment processing comes the rise in threats from e-skimming attacks.

Given today’s continually evolving threat landscape, strengthening access controls is an essential element and growing priority of any robust security program. As such, it’s no surprise multi-factor authentication (MFA) has become a widely adopted compliance requirement by a significant number of security standards across industries. That said, it can be difficult to understand the intricacies of the MFA regulations for each compliance framework.

The PCI Security Standards Council (PCI SSC) has announced significant updates impacting e-commerce merchants currently collecting payments via an iFrame or redirect. The new guidance brings notable changes to the PCI DSS compliance process for merchants who are eligible to complete the Self-Assessment Questionnaire (SAQ) A.