Article Details

What PCI DSS v4 Really Means – Lessons from A&F Compliance Journey. Access on-demand webinar here Avoid a $100,000/month Compliance Disaster March 31, 2025: The Clock is Ticking. What if a single overlooked script could cost your business $100,000 per month in non-compliance fines? PCI DSS v4 is coming, and businesses handling payment card data must be prepared. Beyond fines, non-compliance exposes businesses to web skimming, third-party script attacks, and emerging browser-based threats. So, how do you get ready in time? Reflectiz sat down with Abercrombie & Fitch (A&F), for a no-holds-barred discussion about the toughest PCI DSS v4 challenges. Kevin Heffernan, Director of Risk at A&F, shared actionable insights on: ➡ Watch the Full PCI DSS v4 Webinar Now (Free On-Demand Access – Learn from A&F's Compliance Experts) What's Changing in PCI DSS v4.0.1? PCI DSS v4 introduces stricter security standards—especially for third-party scripts, browser security, and continuous monitoring. Two of the biggest challenges for online merchants are requirements 6.4.3 and 11.6.1. Requirement 6.4.3 – Payment Page Script Security Most businesses rely on third-party scripts for checkout, analytics, live chat, and fraud detection. But attackers exploit these scripts to inject malicious code into payment pages (Magecart-style attacks). New PCI DSS v4 mandates: Script Inventory – Every script loaded in a user's browser must be logged and justified. Integrity Controls – Businesses must verify the integrity of all payment page scripts. Authorization – Only approved scripts should execute on checkout pages. How A&F Tackled It: Requirement 11.6.1 – Change & Tamper Detection Even if your scripts are secure today, attackers can inject malicious changes later. New PCI DSS v4 mandates: Mechanism - Continuous change and tamper detection mechanism deployment for payment page script changes. Unauthorised changes - HTTP header monitoring to detect unauthorized modifications. Integrity - Weekly integrity checks (or more frequently based on risk levels and indicators of compromise). How A&F Tackled It: Try the Reflectiz PCI Dashboard – Free 30-Day Trial Recent Update: The SAQ A Exemption Clarification A recent clarification from the PCI council states the following regarding SAQ A marchants [self-assessment questionnaire]: Note that even if you qualify for SAQ A, your entire website must still be secured. Many businesses will still need real-time monitoring and alerts, making full compliance solutions relevant regardless. A&F's Top 3 PCI DSS v4 Pitfalls (And How to Avoid Them) With multiple payment pages to secure across the globe, Abercrombie and Fitch's compliance journey was complex. Kevin Heffernan, Director of Risk, has suggested three main mistakes that online merchants often make. Mistake #1: Relying only on CSP While Content Security Policy (CSP) helps prevent script-based attacks, it doesn't cover dynamic changes in scripts or external resources. PCI DSS requires additional integrity verification. Mistake #2: Ignoring Third-Party Vendors Most retailers rely on external payment gateways, chat widgets, and tracking scripts. If these vendors don't comply, you're still responsible. Regularly audit third-party integrations. Mistake #3: Treating Compliance as a One-Time Fix PCI DSS v4 mandates ongoing monitoring—meaning you can't just audit scripts once and forget about it. Continuous monitoring solutions will be critical for compliance. Try the Reflectiz PCI Dashboard for 30 day free-trial. Final Takeaways from A&F's PCI Compliance Journey The March 31st 2025 Deadline is Closer Than You Think Waiting too long to start creates security gaps and risks costly fines. A&F's experience shows why early preparation is critical. ➡ Avoid Costly PCI Fines - Watch the PCI DSS v4 Webinar Now to learn how a major global retailer tackled compliance—and what you can do today to avoid fines and security risks. Try the Reflectiz PCI Dashboard for 30 day free-trial.