WP Achieve PCI DSS 4.0 Compliance & Security | Imperva

Home > Application Security > Comply with PCI DSS 4.0 

Comply with PCI DSS 4.0

PCI DSS 4.0 introduced new requirements for client-side security, addressing the risk of customer payment data being stolen directly from the browser. Organizations must address these new requirements, as compliance will be mandatory starting March 2025.

Complete web application and API protection to cover your compliance needs

Imperva Client-Side Protection streamlines compliance requirements 6.4.3 and 11.6.1 through a dedicated dashboard that clearly explains each requirement and identifies related action items. It validates content security policy headers, offers weekly summaries for payment page changes, and helps you stay audit-ready while monitoring compliance-affecting changes easily.

Addresses the new client side requirements
Learn more about Client-Side Protection
Addresses the new client side requirements

Imperva Web Application Firewall offers industry-leading website protection with PCI-compliant, automated security that integrates advanced analytics. It goes beyond OWASP Top 10 coverage and mitigates risks from third-party code. Imperva Web Application Firewall secures active and legacy applications, third-party applications, APIs, microservices, cloud applications, containers, VMs, and more.

Safeguards web applications
Learn more about WAF
Safeguards web applications

Imperva API Security addresses requirements 6.2.2 and 6.3.2 by providing continuous protection through deep discovery and classification of all APIs, including public, private, and shadow APIs. It eliminates data leakage, prevents API abuse, and protects against business logic attacks and OWASP API Top Ten threats, ensuring robust compliance with PCI DSS standards.

Inventories classifies and secures APIs 1
Learn more about API Security
Inventories classifies and secures APIs 1

Incorporating Runtime Protection is a best practice (6.4.1) for enhancing application security. While WAFs monitor the application perimeter, RASP solutions detect and block anomalous behavior within the software during execution for complete protection from within. Imperva RASP uses Language Theoretic Security (LANGSEC) to neutralize known and zero-day attacks, ensuring your applications are secure by default.

Secures applications from within
Learn more about RASP
Secures applications from within

Made to address the latest client-side security requirements

Provides comprehensive inventorying, authorization, dynamic integrity verification, and real-time monitoring, helping streamline regulatory compliance with the new client-side security requirements introduced in PCI DSS 4.0.

Demonstrate continuous compliance

Streamline compliance with PCI DSS 4.0 through comprehensive inventorying, authorization, dynamic integrity verification, and real-time monitoring.

Protect customer data

Mitigate the risk of client-side data breaches, which could result in your customers’ most sensitive data falling into the hands of bad actors.

Empower security teams

Security teams gain complete visibility and control with continuous monitoring and discovery, actionable insights, and one-click enforcement.

Compliance made easy with Imperva web application and API protection

The Imperva Application Security Platform stops the most advanced attacks with the highest efficacy while minimizing false positives. We stay ahead of the evolving threat landscape, integrating the latest security, privacy, and compliance expertise into our solutions.

Client-Side Protection

Safeguards against client-side attacks and streamlines regulatory compliance with PCI DSS 4.0.

Web Application Firewall

Best-in-class, PCI-certified WAF offering stops web application attacks with near-zero false positives. 

API Security

Provides continuous protection of all APIs using deep discovery and classification of sensitive data.

Runtime Protection

Detects and neutralizes known and zero-day attacks, ensuring applications are secure by default.

FAQs

  • If we integrate a third-party payment processor, do we still need to comply with the new client-side protection requirements (6.4.3 & 11.6.1)?

    Yes. Even if you use a third-party payment processor on your payment page, malicious actors could still compromise your website’s code, leaving you vulnerable to Magecart attacks and resulting in noncompliance. PCI DSS issued a clarification about this in version 4.0.1.

  • We embed our third-party payment processor using an iframe. Do we need to comply with the new client-side protection requirements (6.4.3 & 11.6.1)?

    Yes. You are still vulnerable to Magecart attacks. Attackers can exploit vulnerabilities in the payment page infrastructure, allowing them to exfiltrate payment data with malicious scripts even if that data is entered inside an iframe. PCI DSS issued a clarification about this in version 4.0.1.

  • Will using the Imperva Application Security Platform make my organization PCI-compliant?

    While Imperva and its entire infrastructure are PCI-compliant, you still need to pass an audit Our cybersecurity solutions are designed to help organizations meet the complex requirements of PCI DSS 4.0.

  • How does Imperva address client-side security requirements in PCI DSS 4.0?

    Imperva’s Client-Side Protection solution offers comprehensive visibility and control over all client-side scripts and resources, helping you comply with PCI DSS 4.0 requirements 6.4.3 and 11.6.1. Our solution includes real-time monitoring, actionable insights, and automated enforcement to protect against client-side attacks like Magecart.