What is PCI DSS v4 & What Has Changed?
PCI DSS v4 is the next evolution of PCI compliance affecting ecommerce websites which take payments and it is in effect now. Read documents about PCI v4 here
A significant change is that in the past your website did not need to be PCI scanned since you use 3rd parties to handle payments, such as Paypal, Stripe, Klarna, Barclaycard ePDQ etc, and the burden of PCI compliance fell onto those companies. However that has changed and banks and payment processors may now ask for your website to be regularly scanned as well due to the evolving threat landscape, which is set out under Requirements 6 and 11. There are changes to the Self Assessment Questionnaires SAQs you fill in which now mirror v4 compliance. Read more about the SAQ changes and requirements here
Why Do Vulnerabilities Arise?
Hackers are always searching for ways to exploit websites with new methods or tools. We have extensive multi-layered security tools and processes to protect your core site from exploits, however there may be scripts that have been added to your site in the past which were secure at the time but a new exploit has subsequently been found for them. These will be flagged up in a scan and require attention to negate the vulnerability. It's a fast-moving game, even a new script added today could become vulnerable in a short period of time, hence more regular and more comprehensive scanning requirements.
When Do I Need To Start Adhering To The New Standard?
It will depend on when you did your last 12 month SAQ. Once that expires then you will need to adhere to the new standard, as set out below:
How Do I Do PCI Scans?
Your bank or payment processor may provide you with an approved PCI scanning system (ASV - Approved Scan Vendor) which can be used to perform a scan. Otherwise it will be necessary to purchase this service. The scan produces a detailed report which needs to be checked through to ensure there are no identified vulnerabilities on your website, including picking through false positives. This is best tackled by us since your website application and hardware infrastructure is provided by us. This includes switching some of our security tools into PCI Compliance test mode to eliminate false positives.
How Often Do I need To Run PCI Scans?
This may be needed as often as every 90 days.
How Do I Check What Scripts Are On My Site?
You can use the Script Finder program in the website Admin Centre to see all the scripts that are in use on your website. This is important if you are using embedded payment pages or forms including iframes, such as for Klarna or Paypal Commerce.
What Else Needs To be Updated?
We will have to enable HSTS (which forces the browser to always use HTTPS with your domain) and secure cookies, both are settings in the admin centre. We will also look to introduce other measures highlighted in the new standard which are not already covered.
What Does It Cost?
1. PCI Scan £210+VAT
We can perform PCI scans for you and interpret the scan reports. The charge for this is £210+VAT per scan request per website, which covers up to 2 hours of our time. This includes scan re-runs to check any issues identified in that scan are resolved. We can either use your bank's scanning tool if it's provided or you will need to purchase a paid service such as HackerGuardian which is typically around £70 per annum.
2. Script Audit £105+VAT
We also recommend running a script audit on the website. Scripts are small pieces of code that may have been added to a site historically to enable loading third-party tools, such as live chat, heatmap tracking, social shares etc and may have become redundant or unused. Sorting these out reduces unnecessary data collection, can improve site performance and importantly reduces your security exposure. This audit is £105+VAT for an hour of our time and we will do whatever remediation work we can within this time.
If the scan or script audit / remediation runs over the quoted time, then the charge is £105+VAT per hour to continue with the work.
Note: You will need to test your website functionality relating to the scripting work after it is completed to ensure it is functionally working.
How To Book
Please raise a support ticket stating you require a PCI Scan in the subject line and whether you have access to PCI scanning software in the description and we will schedule in the work.
.
