

























Merchants outraged as PCI-SSC changes compliance criteria just weeks before the new regulation comes into effect.

It's insanity that we still don't have clarity (Clean_Anteater992)
They have to be kidding me (sawer82)
It's clusterf after clusterf (andrew_barratt)
The Payment Card Industry Security Standards Council (PCI-SSC) has introduced significant changes to its compliance requirements, creating uncertainty for merchants just weeks before the looming April 1, 2025 deadline.
In 2022, PCI-SSC announced two key requirements (6.4.3 and 11.6.1) to come into effect in Q2, 2025. These changes were designed to reduce payment skimming risks but were initially criticized for vague definitions and potentially high costs.
On January 30, 2025, PCI-SSC modified these requirements, exempting most merchants from implementing costly third-party solutions. This decision has impacted merchants who had already invested in such solutions. It also introduced more confusion about eligibility.
A subsequent post on February 28, 2025, tried to clarify exemption criteria. Merchants may be exempt if:
The lack of specific technical requirements has left merchants uncertain about their obligations.
For SAQ-A eligible merchants (those using off-site payment processors with iframes or redirects):
For non-SAQ-A merchants:
While we provide a free CSP monitoring solution for compliance purposes, in our experience browser-based security is next to useless. Our forensic investigations of thousands of digital skimming incidents since 2015 show that 99% originate from compromised servers, which can readily bypass client-side protections. As the industry leader in digital skimming forensics, we can assert that the best way to protect your store, is to protect your servers.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。