On March 31, 2025, requirements for merchants to manage the risks associated with the scripts and iframe elements loaded into their payment pages will go into effect. These requirements are for Web integrations.
If you are eligible for Self-Assessment Questionnaire A (SAQ A), you are exempt from these requirements.
These requirements are applicable if any of the following apply to you:
- You complete the Self-Assessment Questionnaire D (SAQ D).
- You complete an Attestation of Compliance (AoC) for Onsite Assessment.
- You are an Adyen for Platforms partner.
- You are a partner that implements Adyen plugins.
PCI DSS v4.0.1 script security requirements
You must ensure that you comply with the following requirements.
PCI DSS 6.4.3
All payment page scripts that are loaded and executed in the consumer’s browser are managed as follows:
- A method is implemented to confirm that each script is authorized.
- A method is implemented to assure the integrity of each script.
- An inventory of all scripts is maintained with written justification as to why each is necessary.
PCI DSS 11.6.1
A change- and tamper-detection mechanism is deployed as follows:
- It alerts personnel about unauthorized modification (including indicators of compromise, changes, additions, and deletions) to the security impacting HTTP headers and the script contents of payment pages, as received by the consumer browser's Document Object Model (DOM) throughout the payment process.
- It evaluates the received HTTP headers and payment pages.
- Any unauthorized changes must be investigated and resolved promptly.
Exemption for 3D Secure authentication scripts
In a typical 3D Secure implementation, the 3D Secure server fetches and stores URLs for scripts from an EMV 3DS Access Control Server (ACS), EMV 3DS Directory Server (DS), or services connected to the ACS or DS, on behalf of an issuer or payment network. During checkout, your website shows a web page with an iframe using a URL provided by the EMV 3DS server with an applicable script to support 3D Secure functionality.
The 3D Secure script validation process is exempted from the scope of PCI DSS Requirement 6.4.3, because the trust relationship with the 3D Secure service provider is established through due diligence, onboarding, and business agreements of the entities involved.
The PCI Security Standards Council (PCI SSC), alongside their Participating Organizations group that includes Adyen, provides additional guidance on the technical implementations that can help you achieve compliance with the requirements.
Resources from the PCI Council
The PCI Council provided with additional information about these changes in the following resources:
- Important Updates Announced for Merchants Validating to Self-Assessment Questionnaire A.
- How does PCI DSS Requirement 6.4.3 apply to 3DS scripts called from a merchant check-out page as part of 3DS processing?