In March 2025, Payment Card Industry Data Security Standard (PCI DSS) v3.2.1 will be replaced by PCI DSS v4.0.1, introducing improved security measures for merchants.
What’s the update?
This update includes protocols for merchants to validate JavaScript loaded on their pages using subresource integrity (SRI) to help ensure only authorized scripts are loaded and verify their integrity. The standard sets comprehensive requirements aimed at ensuring the security of cardholder data, including SRI to ensure external resources loaded by web apps are secure.
SRI is a modern security feature that helps web developers ensure the integrity of external resources like JavaScript or CSS files. By specifying a cryptographic hash in the HTML or
Why these changes matter
While PCI DSS 4.0.1 introduces updates to enhance data security and provides recommendations for SRI to protect against manipulation of external resources, three main focuses stand out for why you should implement them:
- Enhanced security for web applications
- Protection against supply chain attacks
- Compliance and best practices
By implementing SRI, you can help prevent attackers from injecting malicious codes into your web pages, reducing the risk of data breaches. Additionally, SRI can mitigate third-party attacks on resources by helping ensure only verified, untampered resources load, protecting the integrity of the supply chain. Lastly, while PCI DSS 4.0.1 doesn’t mandate the use of SRI, it strongly encourages adopting best practices to enhance security. Implementing SRI aligns with these best practices and demonstrates a proactive approach to securing your web applications.
How to comply with SRI for PCI DSS updates
To implement SRI effectively within the scope of PCI DSS 4.0.1, follow these four recommended steps:
- Generate hashes for resources on all external resources your web application relies on. Tools like OpenSSL can generate these hashes
- Update HTML tags that reference external resources to ensure the browser will verify the integrity of the resources before loading them
- Regularly update hashes whenever an external resource is updated so your SRI implementation remains effective
- Monitor and audit your SRI implementation for an integrity check and to verify that no unauthorized changes have been made to your resources or their hashes
Subresource integrity is a powerful tool to help ensure the integrity of external resources loaded by web applications. Implementing SRI with PCI DSS 4.0.1 helps enhance web app security, protects against supply chain attacks, and aligns with best practices for data security. By embracing SRI and adhering to the PCI DSS 4.0.1 guidelines, you can enhance cardholder data protection and boost security.
Securing your business with Visa
While compliance changes can shake up the market, they don’t need to affect your business. With the right fraud and data strategies, your business can be prepared for any changes that come your way. With Visa Acceptance Solutions, you’ll be at the forefront of security and credit card solutions. And in preparation for these changes, we are enhancing our card acceptance product Microform V2 to ensure adherence with PCI DSS 4.0.1 standards requirements so you are protected in the best way possible.
Disclaimer: Case studies, comparisons, statistics, research, and recommendations are provided “AS IS” and intended for informational purposes only and should not be relied upon for operational, marketing, legal, technical, tax, financial, or other advice. Visa Acceptance Solutions neither makes any warranty or representation as to the completeness or accuracy of the information within this document, nor assumes any liability or responsibility that may result from reliance on such information. The information contained herein is not intended as investment or legal advice, and readers are encouraged to seek the advice of a competent professional where such advice is required.