What new requirements have been introduced in PCI-DSS v4.0 for small and mid-sized retailers?

Requirements 6.4.3 and 11.6.1 have been introduced as a result of the update.

What specific threat does PCI-DSS v4.0 address?

PCI-DSS v4.0 addresses the threat of e-skimming, which involves malicious JavaScript being injected into payment pages to steal cardholder data in real time.

PCI-DSS v4.0.1: New Requirements Address E-Skimming Threat for Adult Industry

Q: What is the latest update to the Payment Card Industry Security Standards Council's Data Security Standard (PCI-DSS)?

The latest update is PCI-DSS v4.0, which officially ended its transition period on March 31, 2025.

The latest update to PCI-DSS includes new requirements aimed at preventing e-skimming attacks, impacting businesses accepting online card payments including adult industry platforms.

The Payment Card Industry Security Standards Council's (PCI SSC) latest update to its Data Security Standard (DSS) has significant implications for adult-industry platforms and operators. The transition period for PCI-DSS v4.0 officially ended on March 31, 2025, and every requirement that was previously listed as a "future-dated best practice" is now a mandatory, assessable control.

The new standard, PCI-DSS v4.0.1, addresses a specific threat: malicious JavaScript injected into payment pages to steal cardholder data in real time. This attack category is called Magecart or e-skimming, and it affects every business that accepts card payments online, including those using hosted checkout solutions.

What Happened

The shift from PCI-DSS v3.2.1 to v4.0 was not routine housekeeping. The PCI SSC rewrote significant portions of the standard specifically to address the threat of e-skimming. This change has brought about two new requirements that most small and mid-sized retailers, including those in the adult industry, may be unaware of: Requirements 6.4.3 and 11.6.1.

An independent PCI assessor tested Reflectiz against the new PCI DSS rules, and the verdict is clear: modern checkout pages are now a PCI DSS problem. When a customer types their card number into your checkout, their browser is running far more than just your code. Analytics tags, a tag manager, a support widget, and a payment iframe – dozens of third-party scripts load on a typical checkout page, any one of which can be turned malicious.

Background and Context

The Payment Card Industry Security Standards Council (PCI SSC) is responsible for maintaining the Payment Card Industry Data Security Standard (PCI DSS). The standard provides a baseline of technical and operational requirements to ensure the secure handling of card information. PCI-DSS v4.0 was released in 2025, with a transition period that ended on March 31, 2025.

The new version addresses several key areas, including network security, data protection, and vulnerability management. The standard is designed to help organizations protect themselves against the growing threat of e-skimming attacks. These attacks involve malicious JavaScript being injected into payment pages to steal cardholder data in real-time.

Why It Matters to the Industry

The changes brought about by PCI-DSS v4.0.1 have significant implications for adult-industry platforms and operators. The new requirements, particularly Requirements 6.4.3 and 11.6.1, are designed to address the threat of e-skimming attacks. These attacks can compromise sensitive customer data and lead to financial losses.

The industry must take note that hosted checkout solutions are not immune to these threats. Any business that accepts card payments online is affected by these new requirements. The PCI SSC has confirmed that v4.0.1 did not change the March 31, 2025, effective date for these newer requirements. There is no extension or grace period – the standard is in full effect.

What Comes Next

The industry must now take steps to ensure compliance with PCI-DSS v4.0.1. This includes implementing new controls and procedures to protect against e-skimming attacks. Organizations must also conduct regular vulnerability assessments and penetration testing to identify potential weaknesses in their systems.

Adult-industry platforms and operators should work closely with their payment processors, hosting providers, and other stakeholders to ensure that all necessary steps are taken to comply with the new standard. This includes implementing new controls and procedures to protect against e-skimming attacks and conducting regular vulnerability assessments and penetration testing.

Key Facts

The transition period for PCI-DSS v4.0 officially ended on March 31, 2025.
PCI-DSS v4.0.1 addresses the threat of e-skimming attacks, which involve malicious JavaScript being injected into payment pages to steal cardholder data in real-time.
The new standard includes two new requirements: Requirements 6.4.3 and 11.6.1.
Hosted checkout solutions are not immune to e-skimming threats.
The PCI SSC has confirmed that v4.0.1 did not change the March 31, 2025, effective date for these newer requirements.

The adult industry must take note of these changes and ensure compliance with PCI-DSS v4.0.1 to protect against e-skimming attacks and maintain customer trust.