Preparing Qualified Security Assessors for PCI DSS V4.0

This guide outlines the new requirements of PCI DSS v4.0, which become mandatory on April 1, 2025. It emphasizes the importance of preparing security assessors to understand the implications of these requirements for companies. The document details specific requirements, such as 6.4.3 and 11.6.1, which aim to detect and prevent e-commerce skimming attacks, a significant threat to cardholder data. The guide presents various methods to comply with these requirements, including traditional methods like Content Security Policy (CSP) and Subresource Integrity (SRI), as well as comprehensive solutions like Jscrambler's Webpage Integrity. Additionally, it addresses the applicability of these requirements to SAQ A merchants, highlighting the need for visibility and control over third-party JavaScript. The guide stresses the operationalization of solutions to ensure they fit within existing workflows and provide necessary evidence for assessors, ultimately enhancing security measures against potential threats.