What PCI DSS v4 Really Means – Lessons from A&F Compliance Journey

Mar 07, 2025The Hacker NewsPayment Security / Compliance

Access on-demand webinar here

Avoid a $100,000/month Compliance Disaster

March 31, 2025: The Clock is Ticking. What if a single overlooked script could cost your business $100,000 per month in non-compliance fines? PCI DSS v4 is coming, and businesses handling payment card data must be prepared.

Beyond fines, non-compliance exposes businesses to web skimming, third-party script attacks, and emerging browser-based threats.

So, how do you get ready in time?

Reflectiz sat down with Abercrombie & Fitch (A&F), for a no-holds-barred discussion about the toughest PCI DSS v4 challenges.

Kevin Heffernan, Director of Risk at A&F, shared actionable insights on:

• What worked (and saved $$$)
• What didn’t (and cost time & resources)
• What they wish they had known earlier

➡ Watch the Full PCI DSS v4 Webinar Now

(Free On-Demand Access – Learn from A&F’s Compliance Experts)

What’s Changing in PCI DSS v4.0.1?

PCI DSS v4 introduces stricter security standards—especially for third-party scripts, browser security, and continuous monitoring. Two of the biggest challenges for online merchants are requirements 6.4.3 and 11.6.1.

Requirement 6.4.3 – Payment Page Script Security

Most businesses rely on third-party scripts for checkout, analytics, live chat, and fraud detection. But attackers exploit these scripts to inject malicious code into payment pages (Magecart-style attacks).

New PCI DSS v4 mandates:

Script Inventory – Every script loaded in a user’s browser must be logged and justified.

Integrity Controls – Businesses must verify the integrity of all payment page scripts.

Authorization – Only approved scripts should execute on checkout pages.

How A&F Tackled It:

• Conducted script audits to identify unnecessary or risky third-party dependencies.
• Used Content Security Policy (CSP) to restrict third-party scripts.
• Utilized smart automated approvals to save time and money.

Requirement 11.6.1 – Change & Tamper Detection

Even if your scripts are secure today, attackers can inject malicious changes later.

New PCI DSS v4 mandates:

Mechanism – Continuous change and tamper detection mechanism deployment for payment page script changes.

Unauthorised changes – HTTP header monitoring to detect unauthorized modifications.

Integrity – Weekly integrity checks (or more frequently based on risk levels and indicators of compromise).

How A&F Tackled It:

• Deployed continuous monitoring to detect unauthorized modifications.
• Used Security Information and Event Management (SIEM) for centralized monitoring.
• Created automated alerts and batch-approval for script, structure and header changes on checkout pages.

Try the Reflectiz PCI Dashboard – Free 30-Day Trial

Recent Update: The SAQ A Exemption Clarification

A recent clarification from the PCI council states the following regarding SAQ A marchants [self-assessment questionnaire]:

1. Eligibility Requirement: Merchants must confirm their site is not susceptible to script attacks affecting e-commerce systems.
2. Compliance Options:
   • Implement protection techniques (like those in PCI DSS Requirements 6.4.3 and 11.6.1) either directly or through a third party
   • OR obtain confirmation from PCI DSS-compliant service providers that their embedded payment solution includes script attack protection
3. Limited Applicability: The criteria only applies to merchants using embedded payment pages/forms (e.g., iframes) from third-party service providers.
4. Exemptions: Merchants who redirect customers to payment processors or fully outsource payment functions are not subject to this requirement.
5. Recommendations: Merchants should consult with their service providers about secure implementation and verify with their acquirer that SAQ A is appropriate for their environment.

Note that even if you qualify for SAQ A, your entire website must still be secured. Many businesses will still need real-time monitoring and alerts, making full compliance solutions relevant regardless.

A&F’s Top 3 PCI DSS v4 Pitfalls (And How to Avoid Them)

With multiple payment pages to secure across the globe, Abercrombie and Fitch’s compliance journey was complex. Kevin Heffernan, Director of Risk, has suggested three main mistakes that online merchants often make.

Mistake #1: Relying only on CSP

While Content Security Policy (CSP) helps prevent script-based attacks, it doesn’t cover dynamic changes in scripts or external resources. PCI DSS requires additional integrity verification.

Mistake #2: Ignoring Third-Party Vendors

Most retailers rely on external payment gateways, chat widgets, and tracking scripts. If these vendors don’t comply, you’re still responsible. Regularly audit third-party integrations.

Mistake #3: Treating Compliance as a One-Time Fix

PCI DSS v4 mandates ongoing monitoring—meaning you can’t just audit scripts once and forget about it. Continuous monitoring solutions will be critical for compliance.

Try the Reflectiz PCI Dashboard for 30 day free-trial.

Final Takeaways from A&F’s PCI Compliance Journey

• Risk Assessment First – Identify and map vulnerabilities, supply chain risks, and components’ misconfigurations before jumping into compliance changes.
• Secure Your Payment Page Scripts – Configure strict HTTP security headers, such as CSP.
• Monitor Continuously – Use continuous monitoring, SIEM, and tamper detection alerts to catch modifications before attackers exploit them.
• Don’t Assume Vendors Have You Covered – Audit third-party scripts and integrations—compliance responsibility doesn’t stop at your firewall.

The March 31st 2025 Deadline is Closer Than You Think

Waiting too long to start creates security gaps and risks costly fines. A&F’s experience shows why early preparation is critical.

➡ Avoid Costly PCI Fines – Watch the PCI DSS v4 Webinar Now to learn how a major global retailer tackled compliance—and what you can do today to avoid fines and security risks.

Try the Reflectiz PCI Dashboard for 30 day free-trial.