The deadline for PCI DSS 4.0 compliance is March 31, 2025. While previous versions of PCI DSS focused primarily on server-side security, version 4.0 introduces essential client-side security requirements that all organizations handling payment card data must meet.

DataDome’s Global Bot Security Report showed that 65% of websites remain vulnerable to basic security attacks, let alone sophisticated attacks targeting client-side security vulnerabilities. The latter have become increasingly common, with major companies like OpenAI, Bank of America, and Air Europa⁽¹⁾ falling victim to client-side attacks that have compromised customer payment data.

This comprehensive guide breaks down everything you need to know about PCI DSS 4.0 compliance, with special attention to the new client-side security requirements 6.4.3 and 11.6.1. Whether you’re just starting your compliance journey or looking to validate your existing security measures, this checklist will help you navigate the path to compliance.

PCI DSS compliance checklist

• Network security
  • Install and maintain network firewalls
  • Implement network segmentation
  • Monitor all network access points
  • Change vendor-supplied defaults
• Data protection
  • Encrypt cardholder data during transmission
  • Protect stored cardholder data
  • Implement secure key management
  • Document data retention policies
• Access control
  • Implement role-based access control
  • Establish unique IDs for all users
  • Restrict physical access to data
  • Enable multi-factor authentication
• Monitoring requirements
  • Track and monitor all network access
  • Maintain access logs for at least 12 months
  • Implement automated monitoring tools
  • Enable real-time alert systems
• Testing requirements
  • Conduct regular vulnerability scans
  • Perform penetration testing
  • Test security systems and processes
  • Validate all security controls
• Policy requirements
  • Maintain information security policy
  • Document incident response procedures
  • Establish change management processes
  • Define clear security responsibilities
• New client-side protection requirements
  • Implement script inventory system (6.4.3)
  • Monitor for unauthorized modifications (11.6.1)
  • Control third-party script access
  • Enable real-time script monitoring

Why is PCI compliance important?

PCI DSS compliance is essential for protecting your business and its customers. Non-compliance can result in severe financial penalties, with fines ranging from $5,000 to $100,000 a month until your business is PCI compliant. Beyond the immediate financial impact, the consequences of non-compliance can be devastating.

A security breach due to insufficient payment card protection can lead to substantial financial losses through fraud, operational disruption, and mandatory forensic investigations. More significantly, organizations face potential reputational damage that can last years.. For many organizations, particularly those in e-commerce where all revenue comes from online transactions, such damage to customer trust can be catastrophic.

Additionally, in the event of a data breach, non-compliant organizations may lose their ability to process credit card payments entirely, requiring a comprehensive PCI reassessment by an external Quality Security Assessor (QSA) to regain processing privileges. With the March 2025 deadline approaching, ensuring compliance is an absolute necessity.

Understanding PCI DSS 4.0

The Payment Card Industry Data Security Standard (PCI DSS) is the global security standard designed to protect payment card data and reduce credit card fraud. Created by major credit card brands including Visa, Mastercard, American Express, and Discover, PCI DSS sets the baseline for securing payment card data across all organizations that handle, process, or store card transactions and card data.

Released in March 2022, PCI DSS 4.0 represents the most significant update to the standard in over a decade. While maintaining the core 12 requirements, version 4.0 introduces critical new controls, particularly around client-side security. This update responds to evolving threats in the payment security landscape, especially the rise of client-side attacks that traditional cybersecurity measures often miss.

Key changes in 4.0

The most significant changes in PCI DSS 4.0 focus on client-side security, specifically:

• Requirement 6.4.3: Script inventory and control
• Mandatory inventory of all client-side scripts
• Documentation of script authorization and purpose
• Regular integrity checks of approved scripts
• Business justification for each script used
• Requirement 11.6.1: Change and tamper protection
• Monitoring of HTTP headers on payment pages
• Detection of unauthorized access or modifications
• Controls to prevent script tampering
• Real-time alerting for suspicious changes

Why these changes matter

DataDome’s research has shown that client-side attacks have become increasingly sophisticated. These attacks, such as Magecart attacks, specifically target scripts running in users’ browsers. Traditional server-side security measures can’t detect them because they occur entirely on the client side, making the new PCI DSS 4.0 requirements crucial for modern payment security.

Businesses now face increased monitoring requirements for client-side scripts. They must also establish real-time detection and response capabilities, something that many currently lack. Additionally, there’s a substantial increase in documentation and compliance responsibilities, as businesses must now maintain detailed inventories and justifications for all client-side scripts.

This comprehensive approach to security, while more demanding, reflects the reality of today’s threat landscape where client-side attacks have become sophisticated and dangerous.

A detailed breakdown of all requirements in the checklist

This section provides a comprehensive breakdown of PCI DSS requirements, with special emphasis on implementing the new 4.0 controls. Each requirement includes specific implementation guidance and compliance considerations.

Network security

Installing and maintaining secure network firewalls serves as your first line of defense against malicious software and unauthorized access. Businesses must implement properly configured firewalls at all network boundaries, particularly those connected to the cardholder data environment (CDE). These firewalls need regular maintenance and security patches, with configuration reviews conducted at least every six months.

Security settings require particular attention as well, especially those of software provided by vendors. As a general rule, all passwords must be changed before deploying any system component in the network, especially passwords. This includes not only obvious passwords for system access but also default settings and configurations in network devices, security appliances, and applications. Businesses should maintain detailed documentation of all configuration changes and conduct regular audits to ensure settings remain secure.

Data protection

The protection of cardholder data involves multiple layers of cybersecurity controls. Encryption stands as a critical component: use strong cryptography and security protocols like TLS 1.3 for the transmission of cardholder data. This makes it significantly harder for hackers to intercept and misuse data. For stored data, organizations must implement strong encryption methods and maintain secure key management processes. This includes regular key rotation, secure key storage, and documented key management procedures.

Data storage policies equally require careful consideration. Businesses should store cardholder data only when absolutely necessary for a specific business need. Sensitive authentication data, such as CVV numbers, must never be stored after authorization. Clear data retention policies should specify how long data is kept and secure methods for its deletion when no longer needed.

Access control

Implementing strong access control measures starts with the principle of least privilege. Each individual should only have access to the minimum cardholder data and systems needed to perform their job. Access should be on a need-to-know basis. Businesses must define strict security parameters and use role-based access control systems that clearly define and enforce these parameters. Access rights require quarterly reviews to ensure they remain appropriate and necessary.

Authentication forms a crucial part of access control. Multi-factor authentication has become mandatory for all remote access to the CDE and for all administrative access, even from within trusted networks. Each user must have a unique user ID for system access, and password policies must enforce complexity requirements, regular changes, and prohibit password reuse.

Monitoring requirements

System monitoring serves as your ongoing visibility into security operations. Businesses must track and monitor all access to network resources and cardholder data, maintaining comprehensive audit trails that capture user identification, type of event, date and time, success or failure indication, origination of event, and identity of affected data or system component.

Log management requires careful attention to detail. All system components must maintain audit logs for at least 12 months, with at least three months immediately available for analysis. These logs must be secured against tampering and regularly reviewed to identify cybersecurity incidents, malware, data breaches, anomalies, or other suspicious activities.

Testing requirements

Security testing must be systematic and regular to ensure controls remain effective. Vulnerability scanning should occur at least quarterly and after any significant network changes, using qualified and approved scanning vendors (ASV) as per the PCI Security Standards Council⁽²⁾. These scans must cover all externally accessible (public-facing) and critical internal IP addresses, with results documented and vulnerabilities addressed based on risk level.

Penetration testing requirements have expanded under PCI DSS 4.0. Businesses must conduct both external and internal penetration tests at least annually and after any significant infrastructure or application changes. These tests should follow an industry-accepted penetration testing methodology and include network-layer and application-layer testing of the cardholder data environment.

Policy requirements

Security policies provide the foundation for all security efforts. Organizations must maintain a comprehensive information security policy that addresses all PCI requirements and includes clear procedures for incident response, business continuity, and disaster recovery. These policies need annual reviews and updates to reflect changes in business operations and security requirements.

Change management policies deserve special attention. All system changes must follow documented change control procedures that include impact assessments, testing requirements, and approval processes. These procedures should ensure that security is considered throughout the change management process and that changes don’t compromise existing security controls.

New client-side protection requirements

The new client-side protection requirements in PCI DSS 4.0 represent a significant evolution in payment security. Requirement 6.4.3 mandates comprehensive script inventory and management. Organizations must maintain detailed documentation of all client-side scripts used in payment card processing, including their purpose, the scope of their access, and business justification. Each script requires regular integrity verification to ensure it hasn’t been tampered with or modified without authorization.

Requirement 11.6.1 focuses on protecting payment pages from unauthorized modifications. This involves implementing controls to detect and respond to any changes in payment page elements, including HTML, third-party scripts, and iframe content.

PCI DSS 4.0 implementation strategy

The path to PCI DSS 4.0 compliance requires a structured approach that combines proper planning, the right tools, and ongoing maintenance. Here’s how to effectively implement a compliance program or improve compliance levels.

Start with an assessment

Begin by conducting a thorough risk assessment between your current security controls and PCI DSS 4.0 requirements. Pay particular attention to the new client-side security requirements (6.4.3 and 11.6.1), as these represent the most significant changes. Document all findings and create a prioritized list of needed improvements based on risk level and implementation complexity.

Implement continuous monitoring

Rather than treating compliance as an annual checkpoint, establish continuous monitoring practices. This is particularly crucial for client-side security, where threats can emerge and evolve rapidly. Automated monitoring solutions like DataDome’s Page Protect can provide real-time visibility into script behavior and changes, enabling a quick response to potential threats.

Automate where possible

Manual processes are error-prone and resource-intensive. Security automation should encompass script inventory and monitoring, change detection and alerts, access control management, log collection and analysis, and compliance documentation. This automation not only improves security but also simplifies audit preparation and reduces operational overhead.

Focus on documentation

Documentation serves as the backbone of your compliance program. Maintain clear, current documentation of all security controls and processes, including detailed system inventories, network diagrams, and data flow mappings. Security policies and procedures should be readily available and regularly updated, with incident response plans and change management records properly maintained and accessible to relevant team members.

Train your employees

A comprehensive security awareness program is an important element of effective compliance. Regular employee training sessions should cover current security threats and protocols, while ensuring all team members understand their specific security responsibilities. By making compliance part of your organization’s culture rather than treating it as just another checkbox, you create a more resilient security posture.

Test and validate

Implement a comprehensive testing schedule that incorporates quarterly vulnerability scans and annual penetration testing. Regular control validation should be ongoing, with incident response drills conducted periodically to ensure preparedness. Configuration reviews need to become part of your routine maintenance procedures, helping to identify and address potential security gaps before they can be exploited.

Maintain strong partner relationships

Partner relationships require active management and clear communication channels. Work closely with your technology partners and service providers to ensure all components of your payment system remain secure and compliant. Establish clear service level agreements and documented security responsibilities, while maintaining regular communication channels for incident response coordination.

How DataDome Page Protect streamlines 4.0 compliance

DataDome’s Page Protect is a turnkey solution specifically designed to address the compliance challenges of PCI DSS 4.0. It helps businesses meet their compliance requirements while protecting sensitive data. Here’s how:

Automated script management: Page Protect automates maintaining an inventory of client-side scripts, which is one of the most challenging aspects of PCI DSS 4.0 compliance. The solution continuously monitors your payment pages, automatically discovering and documenting all scripts operating in your environment. This automated approach eliminates the manual effort typically required for script inventory management while ensuring no scripts go undetected.

Real-time monitoring and protection: Beyond simple inventory management, Page Protect provides continuous monitoring of all client-side activities. The solution detects unauthorized script modifications in real-time, allowing security teams to respond quickly to potential threats. This capability directly addresses requirement 11.6.1, which mandates access controls for detecting and preventing unauthorized modifications to payment pages.

Compliance documentation and reporting: Page Protect maintains comprehensive documentation of all script activities, changes, and security events. Through an intuitive dashboard, security teams can access detailed reports showing script inventory, change history, and security incidents. This documentation proves invaluable during compliance audits, providing clear evidence of your organization’s adherence to PCI DSS requirements.

Simplified implementation: Unlike security solutions that require complex integration processes, Page Protect offers streamlined implementation. The solution integrates seamlessly with existing security infrastructure and requires minimal configuration to begin protecting your payment pages. This approach helps organizations meet the March 2025 compliance deadline without extensive technical overhead.

Broader security benefits: As part of the broader DataDome platform, Page Protect works alongside other security capabilities to provide comprehensive protection against both client-side and server-side threats. This integrated approach ensures consistent security coverage while simplifying management and reducing operational overhead.

Preparing for March 2025 and beyond

The complexity of the new PCI DSS 4.0 requirements demand your immediate attention. Organizations must move beyond viewing compliance as a yearly checkbox exercise and embrace it as an ongoing security journey.

Success in achieving and maintaining PCI DSS 4.0 compliance requires implementing proper security controls, maintaining comprehensive documentation, and establishing continuous monitoring practices. With client-side attacks becoming increasingly sophisticated, you need a solution that can keep pace with evolving threats while staying compliant.

Ready to streamline your path to PCI DSS 4.0 compliance? Learn how DataDome Page Protect can help you meet the new requirements while protecting your customers’ payment data. Visit datadome.co/page-protect or book a live product demo today.

References

1. https://tech.co/news/data-breaches-updated-list
2. https://listings.pcisecuritystandards.org/assessors_and_solutions/approved_scanning_vendors