- Docs
- PCI DSS Library
- Why 6.4.3 & 11.6.1 Requirements Were Created
Why 6.4.3 & 11.6.1 Requirements Were Created
As digital transactions continue to rise. Web skimming attacks have become a critical threat to payment page security. These attacks target the point of data collection, where attackers inject malicious JavaScript into payment pages to capture sensitive information, such as credit card numbers, which are then transmitted to an attacker-controlled server.
The increasing number of breaches and the growing sophistication of these advanced threats have highlighted the limitations of existing controls under PCI DSS 3.2.1. To address these vulnerabilities, PCI DSS 4.0 introduced new, targeted controls—specifically Sections 6.4.3 and 11.6.1—designed to enhance payment page security and mitigate the risks posed by these increasingly sophisticated attacks.
Even the Recorded Future Annual Payment Fraud Intelligence Report: 2023 confirms this trend, with key findings summarized below.
| Evolving Magecart Tactics: In 2023, Magecart groups, known for their web skimming attacks, enhanced their tactics, techniques, and procedures (TTPs) to better conceal e-skimmer infections, making detection even more challenging. |
| Targeting of US Merchants: The report identified that US merchants were the primary targets of these breaches, although merchants in other developed e-commerce markets also faced significant risks. |
| Advancing Fraud Techniques: Looking forward to 2024, fraudsters are expected to continue refining their methods, leveraging a combination of advanced technical solutions and social engineering to bypass traditional fraud detection systems. |
These findings underscore the critical need for the enhanced security controls introduced in PCI DSS 4.0, specifically requirements 6.4.3 and 11.6.1, to protect against the evolving threats in the payment card industry.
