Get quick and important advice for tackling PCI audits in 2025.
There are several key changes that those conducting PCI audits in 2025 will experience. The first is PCI DSS 4.0.1. While 4.0.1 only includes minor changes, additional guidance was provided to further clarify requirement 11.6.1 by stating that the list of example solution techniques was not a set of independent solutions and that a full solution could include but is not limited to a combination of the listed techniques. Remember, until PCI 3.2.1 retires on March 31, 2025, your process won’t significantly change, but it’s better to be prepared for 4.0 ahead of time.
Another change businesses experienced this past year when getting their PCI DSS 4 audit is that the bar has been raised a bit on their overall documentation. This new version of PCI DSS requires some new, specific documentation, which can be challenging to continuously stay on top of.
Some quick advice for tackling PCI audits in 2025 includes:
Some of the new requirements have proven more of a struggle than others. QSAs have noted that this includes:
However, some successes surrounding audits in 2025 have been noted by QSAs as well, including:
While many of the new requirements can seem daunting, they are not necessarily “brand new” but rather enhancements of previous requirements.
SAQ A merchants now need to conduct vulnerability scans, which was not the case with prior versions of PCI DSS and may represent a new compliance process that these small merchants are not used to. These scans should not represent a large service cost, but the process of setting them up, monitoring the results, and acting on them represents a new challenge to the SAQ A community.
Merchants using iFrames to help control PCI DSS scope on their ecommerce pages must now address security on their website even though they contract with a 3rd party for the payment page shown in the iFrame. These “referring payment pages” (e.g., a merchant has a small website fully under their control and they display a 3rd party payment page in an iFrame) are the pages at most risk of e-commerce skimming and merchants often believe these pages are safe because they have contracted with a 3rd party for collecting payment data. These referring payment pages have to comply with the new PCI DSS requirements 6.4.3 and 11.6.1.
Requirement 6.4.3 focuses on merchants and service providers being aware of all scripts on their websites, especially payment pages or referring payment pages where third-party scripts can be included without their knowledge by other 3rd party included scripts. The goal of 6.4.3 is to reduce unnecessary scripts, as these can create security risks.
Requirement 11.6.1 builds on this by ensuring that companies know when page headers or script contents change, and new or unauthorized scripts have been added.
Gary Glover (VP of Assessments) and Brian Cole (Enterprise Sales Manager) speculate that there will be several future requirements to meet PCI compliance, including:
This is not an exhaustive list, but it includes the most significant changes that are often being put off until 2025.
Payment page script monitoring for requirements 6.4.3 and 11.6.1 are anticipated to be the most difficult changes to address for PCI audits in 2025. It’s important for everyone to understand that script monitoring is a problem for merchants, not service providers. Merchants need to be responsible for their own script analysis and choose solutions that monitor the entire transaction process. This means that from the very first to the last stage of purchase, you’re monitoring for malicious scripts that can be added.
So, merchants becoming responsible for their own cybersecurity can be a major hurdle that must be addressed in 2025.
Luckily, SecurityMetrics offers two tools that help merchants comply with this: Shopping Cart Monitor and Shopping Cart Inspect. These tools are for merchants of all sizes and are designed to regularly monitor and scan your ecommerce website, looking for unauthorized scripts and malicious activity. Shopping Cart Monitor and Inspect can work with almost any size budget, so if you’re interested in learning more about these tools, please speak with a SecurityMetrics expert.
One vital thing you can do to prepare for your PCI audit in 2025 is to ensure that you have both the budget and the buy-in necessary to succeed. In fact, Brian Cole says that currently, “We’re fielding lots of calls and answering questions so people can plan to fit these requirements into their 2025 budgets.”
Remember, here are the biggest items you can anticipate to address in 2025:
Another important thing you can do for your 2025 PCI audit is choose a reputable PCI audit partner. If you’re partnering with SecurityMetrics for your 2025 audit, rest assured that most SecurityMetrics QSAs have been with the company for at least ten years, meaning “you can expect a very similar experience with SecurityMetrics year after year, from QSA to QSA.” SecurityMetrics also “prides itself on your ability to easily get someone on the phone” (Brian Cole).
So, if you’re unsure about who to partner with, consider speaking with an expert who can help you understand your PCI compliance requirements and the best way to move forward. Luckily, the PCI assessment process “hasn’t changed a whole lot in the last twenty years... As far as the customer is concerned, there is no change in the way we work” (Gary Glover).
To get a better understanding of how PCI audits work with SecurityMetrics, read about Anedot’s journey to PCI compliance.
.svg)
