Merchants left guessing at last-minute PCI-DSS u-turn

by Sansec Forensics Team

Published in Threat Research − March 06, 2025

Merchants outraged as PCI-SSC changes compliance criteria just weeks before the new regulation comes into effect.

Merchants left guessing at last-minute PCI-DSS u-turn

It's insanity that we still don't have clarity (Clean_Anteater992)

They have to be kidding me (sawer82)

It's clusterf after clusterf (andrew_barratt)

The Payment Card Industry Security Standards Council (PCI-SSC) has introduced significant changes to its compliance requirements, creating uncertainty for merchants just weeks before the looming April 1, 2025 deadline.

Background

In 2022, PCI-SSC announced two key requirements (6.4.3 and 11.6.1) to come into effect in Q2, 2025. These changes were designed to reduce payment skimming risks but were initially criticized for vague definitions and potentially high costs.

U-turn

On January 30, 2025, PCI-SSC modified these requirements, exempting most merchants from implementing costly third-party solutions. This decision has impacted merchants who had already invested in such solutions. It also introduced more confusion about eligibility.

A subsequent "faq" on February 28, 2025, tried to clarify exemption criteria. Merchants may be exempt if:

They have already implemented the required controls (???)
Their payment processor provides sufficient protection against script attacks (not further specified)

The lack of specific technical requirements has left merchants uncertain about their obligations.

Sansec recommends

For SAQ-A eligible merchants (those using off-site payment processors with iframes or redirects):

Contact your payment processor for specific compliance confirmation
Document all communications regarding compliance requirements

For non-SAQ-A merchants:

Implement either a proprietary PCI-SSC vendor solution ($15,000-$100,000 annually)
Or deploy a CSP monitoring solution

Sansec's Perspective

While we provide a free CSP monitoring solution for compliance purposes, in our experience browser-based security is next to useless. Our forensic investigations of thousands of digital skimming incidents since 2015 show that 99% originate from compromised servers, which can readily bypass client-side protections. As the industry leader in digital skimming forensics, we can assert that the best way to protect your store, is to protect your servers.