thePCI Portal

4.0, PCI DSS, QSA, SAQ A

Does requirement 6.4.3 mean that a merchant who uses an iframe so that their payment service provider collects the payment information have to implement a method to ensure the integrity of scripts on their web page?

by  •  • 0 Comments

Did you come here looking for an answer to this question?  If so, YOU ARE IN LUCK.  We have lots of answers to this question.  I am sure you can find one that fits your requirements.

 

NOTE:  all of the answers below are real.  QSACs really said these things (not just a QSA, but the lead/principal/guru)!

Double NOTE:  The REAL answer to this question is actually in official PCI documentation now.  The Dec2022 version of the v4.0 SAQ A has the answers.  6.4.3 (and 11.6.1) are applicable to more than the “payment page” and are applicable to the merchant’s page which hosts the iframe.

Opinion Holder Anonymized Does requirement 6.4.3 mean that a merchant who uses an iframe so that their payment service provider collects the payment information have to implement a method to ensure the integrity of scripts on their web page? Their Reasoning My analysis of their reasoning
Me NO The requirement clearly states that it is only applicable to the “payment page”.  Multiple FAQs from the PCI SSC clearly state that the “payment page” is only what is within the iframe in this situation. Logically sound.
QSAC 1 YES It’s about the intent and risk.  Page that hosts iframe is included.  No references available. I agree that its likely the intent.  And it sure does reduce the risk. But fails the “payment page” criteria and definition test.
QSAC 2 We advise our customers to await further guidance. It’s a mess. Wise.
QSAC 3 YES Iframes are a script. iframes are not a script. But even if they were, this is not a logical argument.
vendor with a solution YES it reduces risk. It does.  And I knew what your answer would be.
merchant with an iframe NO My payment service provider takes care of that. Your goto answer!  And it might be right this time!
Me again YES How else do you prevent someone from stealing cards? Logically sound.

And if you would like to add YOUR answer to the question, please forward it along and I will include it anonymously.  Or not anonymously if you want.

Leave a Reply