Access on-demand webinar here
March 31, 2025: The Clock is Ticking. What if a single overlooked script could cost your business $100,000 per month in non-compliance fines? PCI DSS v4 is coming, and businesses handling payment card data must be prepared.
Beyond fines, non-compliance exposes businesses to web skimming, third-party script attacks, and emerging browser-based threats.
So, how do you get ready in time?
Reflectiz sat down with Abercrombie & Fitch (A&F), for a no-holds-barred discussion about the toughest PCI DSS v4 challenges.
Kevin Heffernan, Director of Risk at A&F, shared actionable insights on:
➡ Watch the Full PCI DSS v4 Webinar Now
(Free On-Demand Access – Learn from A&F’s Compliance Experts)
PCI DSS v4 introduces stricter security standards—especially for third-party scripts, browser security, and continuous monitoring. Two of the biggest challenges for online merchants are requirements 6.4.3 and 11.6.1.
Most businesses rely on third-party scripts for checkout, analytics, live chat, and fraud detection. But attackers exploit these scripts to inject malicious code into payment pages (Magecart-style attacks).
Script Inventory – Every script loaded in a user’s browser must be logged and justified.
Integrity Controls – Businesses must verify the integrity of all payment page scripts.
Authorization – Only approved scripts should execute on checkout pages.
Even if your scripts are secure today, attackers can inject malicious changes later.
Mechanism – Continuous change and tamper detection mechanism deployment for payment page script changes.
Unauthorised changes – HTTP header monitoring to detect unauthorized modifications.
Integrity – Weekly integrity checks (or more frequently based on risk levels and indicators of compromise).
Try the Reflectiz PCI Dashboard – Free 30-Day Trial
A recent clarification from the PCI council states the following regarding SAQ A marchants [self-assessment questionnaire]:
Note that even if you qualify for SAQ A, your entire website must still be secured. Many businesses will still need real-time monitoring and alerts, making full compliance solutions relevant regardless.
With multiple payment pages to secure across the globe, Abercrombie and Fitch’s compliance journey was complex. Kevin Heffernan, Director of Risk, has suggested three main mistakes that online merchants often make.
While Content Security Policy (CSP) helps prevent script-based attacks, it doesn’t cover dynamic changes in scripts or external resources. PCI DSS requires additional integrity verification.
Most retailers rely on external payment gateways, chat widgets, and tracking scripts. If these vendors don’t comply, you’re still responsible. Regularly audit third-party integrations.
PCI DSS v4 mandates ongoing monitoring—meaning you can’t just audit scripts once and forget about it. Continuous monitoring solutions will be critical for compliance.
Try the Reflectiz PCI Dashboard for 30 day free-trial.
Waiting too long to start creates security gaps and risks costly fines. A&F’s experience shows why early preparation is critical.
➡ Avoid Costly PCI Fines – Watch the PCI DSS v4 Webinar Now to learn how a major global retailer tackled compliance—and what you can do today to avoid fines and security risks.
Try the Reflectiz PCI Dashboard for 30 day free-trial.
