On March 31, 2025, PCI DSS 4.0 will go into full effect. As a user of Spreedly’s payment forms (either iFrame or Express), this article will specifically address requirements in Section 6.4.3 and Section 11.6.1 on continuous script monitoring for unauthorized changes. These requirements aim to safeguard the integrity of every script running on payment pages, including Spreedly's services.
What this means for you:
PCI DSS 4.0 introduces stricter standards for managing and monitoring payment pages, especially for any third-party scripts or custom elements within payment forms. For most merchants, this will involve:
- Overall review of your content security policy (CSP)
- Keeping an inventory of scripts on payment pages with justifications for each
- Reviewing and ensuring there is a mechanism to maintain and verify the integrity of all third-party scripts running on payment pages, such as subresource integrity (SRI), or several alternatives available in the market
Spreedly has published guides to PCI 4.0 which describe different mechanisms available to achieve and maintain compliance with these updated requirements. Please review our documentation on securing iFrame or securing Express.
Next steps:
We encourage you to consult your Qualified Security Assessor (QSA) to review these requirements and discuss the best options for your payment pages. Spreedly is here to support you through the deadline with best practices and these resources as you prepare for the upcoming changes.
Feel free to reach out to us at support@spreedly.com if you have any questions.