PCI DSS is the security standard used for payment card transactions, such as with credit cards and debit cards. It applies to any organization that stores, processes, or transmits card information, or could affect the security of a transaction. You cannot accept payment cards unless you adhere to this standard.

The latest standard is PCI DSS 4.0. It enhances security in several different areas of payment processing.

Two new sections of the standard directly impact payment pages in Slate:

Section 6.4.3

All payment page scripts that are loaded and executed in the consumer’s browser are managed as follows:

• A method is implemented to confirm that each script is authorized.

• A method is implemented to assure the integrity of each script.

• An inventory of all scripts is maintained with written justification as to why each is necessary.

Section 11.6.1

A change- and tamper-detection mechanism is deployed as follows:

• To alert personnel to unauthorized modification (including indicators of compromise, changes, additions, and deletions) to the HTTP headers and the contents of payment pages as received by the consumer browser.

• The mechanism is configured to evaluate the received HTTP header and payment page.

• The mechanism functions are performed as follows:

  • At least once every seven days

    OR

  • Periodically (at the frequency defined in the entity’s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1).

For more details, see the standard itself.

Payment pages and scripts in Slate

Payment pages in Slate can contain scripts that come from two main sources:

• Technolutions: Technolutions scripts provide functionality on the page, such as helping with the payment card transaction itself.

• Your institution: These scripts may be for analytics, branding, or any other need you have. They may come directly from your institution’s website or from a third-party such as Google (e.g., Google Analytics). You control what scripts are on your Slate pages through the File Editor in Slate.

Because scripts on a page may come from both Technolutions and your institution, we have a shared responsibility for those that appear on a payment page. This shared responsibility is outlined in the Technolutions PCI DSS 4.0 Responsibility Matrix, which is available as an attachment to Slate Security Profile and Documentation (article requires login).

In short, Technolutions is responsible for its scripts, and your institution is responsible for any script that it introduces. Therefore, your institution needs to make sure that its scripts are authorized, haven’t been tampered with, and that an inventory of them is kept (see section 6.4.3).

Looking at 11.6.1, you also need to have a mechanism in place to check if your scripts have been tampered with. While Technolutions monitors the HTTP headers and its own scripts for tampering, we can’t determine if a change made to one of your scripts is by you or a malicious actor.

These changes don’t have to be made directly to payment pages. A change could, for example, be made to your branding that impacts all pages in Slate, including the payment pages. However, you just need to monitor your scripts on payment pages, not any other page in Slate.

How can you monitor your scripts on payment pages? Your Information Security Office may have recommendations. They may have licensed software to do it or have a common approach that the institution is taking.  

In short, while PCI DSS 4.0 tightens security around payments, it places greater responsibility on all organizations that accept payment cards.