What is PCI-DSS and who must comply?
The Payment Card Industry Data Security Standard (PCI-DSS) is a contractual security standard set by the major card brands (Visa, Mastercard, Amex, Discover). Any organisation that processes, stores, or transmits cardholder data — including payment page operators, e-commerce platforms, and payment gateways — must comply.
Version 4.0, released March 2022 and mandatory from March 2024, introduced significant changes for web security. The most impactful for web developers are:
- Requirement 6.4.1: Public-facing web apps must be protected by a technical control (WAF or vulnerability assessment)
- Requirement 6.4.3: All scripts on payment pages must be authorised, integrity-verified, and inventoried — targeting Magecart-style skimming
- Requirement 12.3.3: Annual review of all cryptographic algorithms, keys, and certificates in use
Non-compliance consequences: Card brands can impose monthly fines of $5,000–$100,000 on your acquiring bank, which passes them to you. After a breach, you may also lose the ability to accept card payments entirely. Indian RBI regulations require card-present terminals to be PCI-compliant; online merchants operating under payment aggregators (Razorpay, PayU) inherit some requirements from the aggregator's compliance scope.
Requirements WebAudit checks
All cardholder data transmitted over open, public networks must be encrypted using strong cryptography and accepted security protocols only. TLS 1.0 and 1.1 are explicitly prohibited. HSTS prevents protocol downgrade attacks where an attacker intercepts the initial HTTP request before HTTPS redirection.
TLS valid
HSTS present
No mixed content
Fix: Use TLS 1.2 or 1.3 only — disable TLS 1.0, 1.1. Deploy Strict-Transport-Security: max-age=31536000; includeSubDomains; preload. Remove all HTTP-loaded resources from HTTPS pages.
Public-facing web applications must be protected against known attacks via automated technical solutions — evaluated at least annually and after any changes. This includes Content Security Policy (injection defence), X-Frame-Options (clickjacking), and X-Content-Type-Options (MIME sniffing). A WAF can satisfy this requirement in combination with these headers.
CSP present
CSP no unsafe-inline/eval
X-Frame-Options
X-Content-Type-Options
Fix: Deploy a Content-Security-Policy without 'unsafe-inline' or 'unsafe-eval'. Set X-Frame-Options: SAMEORIGIN and X-Content-Type-Options: nosniff. Conduct regular vulnerability assessments.
New in v4.0. All scripts loaded on payment pages must be: (1) authorised via an approval process, (2) integrity-verified so tampering is detected, and (3) inventoried to enable tracking. This requirement directly addresses Magecart and supply-chain skimming attacks, where attackers compromise a CDN or third-party script to steal card data from thousands of payment forms simultaneously.
SRI present
CSP present
Fix: Add integrity="sha384-..." and crossorigin="anonymous" to all external <script> tags. Deploy a strict Content-Security-Policy: script-src 'self' 'sha384-...' https://specific-allowed-cdn.com to prevent loading unauthorised scripts.
Authentication credentials must not be transmitted in cleartext or in a way that can be intercepted. Session cookies that travel over HTTP — because the Secure flag is missing — expose session tokens to network interception. Missing HSTS allows a downgrade where the browser makes the first request over HTTP before being redirected.
TLS valid
Cookies Secure flag
HSTS present
Fix: Ensure all authentication endpoints run exclusively over HTTPS. Set Secure flag on all cookies containing session identifiers. Enable HSTS to prevent any HTTP fallback path.
All cryptographic algorithms, keys, and certificates used anywhere in the environment must be documented and reviewed at least once every 12 months to ensure they remain strong. Certificates approaching expiry are flagged — an expired certificate breaks HTTPS and may trigger PCI-DSS findings during a QSA assessment.
TLS valid
Fix: Disable TLS 1.0 and 1.1. Disable weak cipher suites (RC4, 3DES, export-grade ciphers, NULL). Renew certificates at least 30 days before expiry. Automate renewal with Let's Encrypt + Certbot or Cloudflare.