PCI DSS compliance
for hosted payment pages.
Cardholder data environment security built into the hosting layer. Our infrastructure satisfies the requirements your QSA needs to see — before they arrive.
PCI DSS 4.0
requirements.
PCI DSS 4.0 (effective March 2025) represents the most significant revision to payment card security standards since the framework’s creation. It introduces a customized approach alongside the traditional defined approach, adds requirements for targeted risk analysis, and strengthens encryption mandates.
For merchants hosting payment pages, the standard’s twelve requirement families create obligations at the infrastructure level: network security controls (Requirement 1), secure configurations (Requirement 2), data encryption (Requirement 4), vulnerability management (Requirement 6), access restriction (Requirements 7–8), and monitoring (Requirements 10–11).
PCI DSS 4.0 introduces new requirements specifically relevant to hosted environments: Requirement 6.4.3 mandates integrity monitoring of payment page scripts, Requirement 11.6.1 requires change and tamper detection for HTTP headers and page content, and Requirement 12.3.1 requires targeted risk analyses for customized controls.
PrismWeb’s sixteen checks address multiple PCI DSS requirements simultaneously. When your QSA assesses your cardholder data environment, our infrastructure provides the evidence that controls are implemented and operating.
How PrismWeb maps to
PCI DSS 4.0 requirements.
| Check | PCI DSS Requirement | Requirement Family |
|---|---|---|
| DNSSEC | 1.2.5, 1.4.2 | Network Security Controls |
| SSL/TLS | 4.2.1, 4.2.2 | Strong Cryptography |
| Enhanced HTTPS | 4.2.1, 6.4.3 | Strong Cryptography, Secure Systems |
| Enhanced TLS | 4.2.1, 4.2.2, 2.2.7 | Strong Cryptography, Secure Config |
| Certificate Validation | 4.2.1, 4.2.1.1 | Strong Cryptography |
| Security Headers | 6.4.3, 11.6.1 | Secure Systems, Monitoring |
| SPF | 5.4.1 | Anti-Phishing |
| DKIM | 5.4.1 | Anti-Phishing |
| DMARC | 5.4.1 | Anti-Phishing |
| MTA-STS | 4.2.1, 5.4.1 | Strong Cryptography, Anti-Phishing |
| TLS-RPT | 10.4.1, 10.4.2 | Logging & Monitoring |
| IP Abuse | 11.3.1, 11.4.1 | Vulnerability Scanning, IDS/IPS |
| WordPress Detection | 6.3.1, 6.3.3 | Vulnerability Management |
| Website Scanning | 6.4.3, 11.6.1 | Secure Systems, Change Detection |
| IPv6 | 1.2.1 | Network Security Controls |
| RPKI | 1.2.1, 1.4.2 | Network Security Controls |
What your QSA
needs to see.
Documented TLS versions, cipher suites, and certificate configurations meeting Requirement 4 standards. Evidence that strong cryptography protects cardholder data in transit.
Continuous monitoring of HTTP headers and page content for unauthorized changes, directly satisfying the new 11.6.1 requirement for payment page tamper detection.
Regular scanning evidence showing the absence of known vulnerabilities in your hosting environment. Supports Requirement 11 quarterly scan obligations.
Documentation of isolated hosting environments showing proper CDE segmentation. Each site runs in its own container with separate network controls.
Evidence of SPF, DKIM, and DMARC implementation satisfying Requirement 5.4.1’s anti-phishing mechanisms. Your domain cannot be spoofed to phish cardholder data.
Payment page security
from the infrastructure up.
Don’t wait for your QSA to find gaps. Our infrastructure implements and documents PCI DSS controls continuously — so your assessment is validation, not discovery.