Executive Summary
PCI DSS 4.0.1 compliance mandates stricter security controls for web applications and APIs. Key updates include maintaining an inventory of custom software (PCI 6.3.2) and managing payment page scripts to prevent skimming attacks (PCI 6.4.3). Organizations must also adopt risk-based vulnerability prioritization (PCI 11.3.1.1), perform authenticated internal vulnerability scans (PCI 11.3.1.2), implement mechanisms to detect payment page tampering (PCI 11.6.1), and support continuous compliance to meet these requirements.
This blog explains what those expanded requirements mean in practice and how organizations can operationalize them using a unified application security approach with Qualys TotalAppSec.
Introduction
2025 has been a milestone year for organizations operating in the payment ecosystem. As of April 1, all merchants and third-party payment service providers are now required to comply with the expanded set of PCI DSS 4.0 controls—51 new requirements in total. These changes introduced stronger protections around authentication, encryption, logging, and continuous security monitoring, prompting many organizations to reassess and modernize their security programs, processes, and tooling.
During this peak holiday shopping season, organizations involved in online payment processing must be more vigilant than ever. Attackers increasingly target web applications, APIs, and client-side scripts to launch skimming, fraud, malware injection, and account takeover attacks, often when transaction volumes and business impact are at their highest.
This blog is designed for security leaders, AppSec teams, compliance managers, developers, and anyone responsible for securing digital payment experiences under PCI DSS 4.0.1. It breaks down the updated requirements related to web applications and APIs, explains how these changes affect day-to-day operations, and outlines how organizations can modernize their application security practices to reduce risk, strengthen payment integrity, and prepare confidently for QSA assessments.
Key Web Application and API Security Changes in PCI DSS 4.0.1
PCI DSS 4.0.1 introduced several new or strengthened requirements explicitly focused on PCI DSS web application requirements and PCI DSS API security. These updates reflect a broader shift where attackers are increasingly targeting application-layer weaknesses, rather than relying solely on infrastructure. Below are the most relevant changes for AppSec teams.
Inventory of Bespoke/Custom Software (PCI 6.3.2)
Organizations must maintain a complete and up-to-date inventory of all custom software, including custom web applications, APIs, and third-party components embedded within them. This is foundational for vulnerability management, risk assessment, and patch planning.
Payment Page Script Management (PCI 6.4.3)
Any script loaded or executed in the consumer’s browser on a payment page must be inventoried, authorized, and validated for integrity. This requirement directly targets the rise of Magecart-style skimming attacks and malicious JavaScript injection.
Risk-Based Treatment of Non-Critical Vulnerabilities (PCI 11.3.1.1)
According to PCI DSS 4.0.1, even vulnerabilities with a severity level below high or critical must be addressed, depending on the context and risk. Organizations must show evidence of risk-based prioritization, not just CVSS scores.
Mandatory Authenticated Internal Vulnerability Scans (PCI 11.3.1.2)
Internal scanners must authenticate to applications and systems. This change ensures more comprehensive coverage, including logic flaws, protections, and application paths that are not publicly visible.
Tamper-Detection for Payment Pages (PCI 11.6.1)
Organizations must implement controls to detect unauthorized changes to payment pages, including injected or altered scripts, modified HTTP headers, and content modifications that may compromise security controls. The objective is to detect and stop web skimming attacks early.
From PCI DSS 4.0.1 Requirements to Operational Application Security
To effectively meet these expanded requirements, organizations must implement a robust application security platform that delivers continuous visibility, rigorous testing, and prioritized risk management across both web applications and APIs. Qualys TotalAppSec is explicitly designed for this purpose, integrating API and web application testing, web malware detection, and comprehensive application risk management into a single, powerful solution. It proactively discovers web applications and APIs, even those that are currently unknown or unmanaged, identifies vulnerabilities, assesses contextual risks, and provides clear, actionable insights.
With capabilities such as deep crawling, authenticated scanning, and continuous monitoring, TotalAppSec empowers organizations to operationalize the heightened application security requirements of PCI DSS 4.0.1 and maintain a strong, defensible application security posture over time.
How TotalAppSec supports PCI DSS 4.0.1 Requirements
Below is a streamlined summary of how TotalAppSec maps to key PCI DSS 4.0.1 controls.
Section 6: Develop and maintain secure systems and software
| PCI Section | PCI Requirements | Applicable to TotalAppSec? | TotalAppSec Capabilities |
| 6.3.1 | Identifying and Managing Vulnerabilities | Yes | TotalAppSec supports this requirement by:
– tracking 100+ security bulletins to add new signatures – assigning contextual risk ratings (critical/high/medium/low) – helping teams assess impact beyond severity alone – scanning all web applications and APIs for both known and emerging vulnerabilities Together, these capabilities help organizations continuously identify, prioritize, and remediate vulnerabilities in alignment with PCI’s risk-ranking standards. |
| 6.3.2 | Inventory of bespoke and custom software | Yes | TotalAppSec automatically discovers known and unknown web applications and APIs through:
– Web application crawling – API gateway integrations – TotalCloud connectors – Analysis of internal and external hosts This creates and maintains the complete application inventory required by PCI DSS 6.3.2. |
| 6.4.1 | Protect public-facing web applications | Yes | TotalAppSec scans public-facing web applications and APIs for vulnerabilities using automated, intelligent application security testing. It helps organizations identify new threats and maintain continuous testing for vulnerabilities. |
| 6.4.3 | Manage payment page scripts | Yes | TotalAppSec includes specialized detections (QIDs) for payment page security, including:
– QID 153008: identification of payment pages – QID 153009: detection of JavaScript on payment pages – QID 150545: detection of JavaScript loaded from external servers – QID 150621: inventory of all JavaScript assets – QID 150288: Incorrect Sub Resource Integrity (SRI) cryptographic hash – QID 150206: Content-Security-Policy Not Implemented – QID 150226: detection of pages collecting sensitive information without authentication These controls directly support script inventory, authorization, and integrity validation. |
Section 11: Test Security of Systems and Networks Regularly
| PCI Section | PCI requirements | Applicable to TotalAppSec? | TotalAppSec Capabilities |
| 11.3.1 | Internal vulnerability scans | Yes | TotalAppSec helps organizations to meet these requirements by:
– scanning internal web applications and APIs – ranking vulnerabilities using contextual risk – supporting both scheduled and on-demand rescans – offering authenticated scanning – maintaining role-based access control – continuously updating tests via Qualys Threat Research This ensures consistent compliance with PCI 11.3.1 and 11.3.1.2. |
| 11.3.2 | External vulnerability scans | Yes | TotalAppSec supports external scanning of web applications and APIs and allows organizations to:
– rescan as needed – submit TotalAppSec scan results to the Qualys PCI ASV platform for attestation – include web application and API results in attestation reports |
| 11.6 | Tamper detection for payment pages | Yes | TotalAppSec implements specific QIDs to detect unauthorized changes that could indicate a skimming attack:
– QID 150206: missing or incorrect Content-Security-Policy (CSP) headers – QID 150288: incorrect Subresource Integrity (SRI) hashes These detections help identify script manipulation and content tampering that violate PCI 11.6.1. |
How TotalAppSec Helps Organizations Achieve PCI DSS 4.0.1 Compliance
Web application and API Discovery and Inventory
TotalAppSec delivers automated, continuous discovery of web applications and APIs by mapping your entire attack surface — including shadow apps, forgotten subdomains, and undocumented endpoints. It identifies both openly exposed and hidden assets using active crawling, API schema analysis, and connecting to API gateways or cloud environments. This provides security teams with an up-to-date, authoritative inventory of all applications and APIs, including their security testing status, ensuring that nothing critical is missed and every asset is ready for risk assessment and scanning. This comprehensive discovery and inventory capability helps with compliance with PCI section 6.3.2.
Web Application and API Risk Assessment
TotalAppSec delivers comprehensive application and API security testing capabilities designed to protect both internet-facing and internal web applications and APIs. It supports authenticated scanning, enabling thorough assessment of application and API security. The platform can identify and test for both known and emerging vulnerabilities, helping organizations stay ahead of evolving threats.
TotalAppSec assigns risk ratings that consider threat context, vulnerability severity, and the criticality of affected assets, providing actionable insights for prioritization. It also maintains a centralized inventory of scripts and actively monitors payment pages and other sensitive areas to detect unauthorized changes, helping prevent potential attacks.
By combining deep vulnerability detection with contextual risk analysis and continuous monitoring, TotalAppSec empowers organizations to strengthen their application security posture, reduce exposure to cyber threats, ensure the integrity of critical digital assets, and achieve compliance with PCI sections 6.3.1, 6.3.2, 6.4.1, 6.4.3, 11.3.1, 11.3.2, and 11.6.
Submit Full Scan Results for PCI Attestation
With TotalAppSec, organizations can perform comprehensive scans of their web applications and APIs, leveraging advanced capabilities such as deep crawling, progressive scanning, authenticated testing, and granular scanning controls. These features ensure high-quality, high-coverage assessments that uncover vulnerabilities across both known and previously unseen assets. Once scans are completed, customers can seamlessly submit the results for PCI attestation, ensuring they meet the documentation and rigor required for PCI DSS compliance. This unified workflow streamlines compliance efforts by combining robust scanning technology with the ability to produce attestation-ready reports, reducing manual effort and improving overall security assurance.
Why TotalAppSec is Essential for PCI DSS 4.0.1 Compliance
While many organizations previously relied on the Qualys PCI Compliance solution, PCI DSS 4.0.1 introduces new expectations that place greater emphasis on application-layer security. These requirements include deeper application-level testing, broader coverage of the attack surface, and script integrity monitoring.
Addressing these areas requires application security capabilities that extend beyond traditional compliance-focused scanning. Qualys TotalAppSec helps organizations do this by:
- performing advanced crawling and high coverage scanning for both internal and external apps,
- discovering and inventorying web applications and APIs automatically,
- detecting malware and script tampering,
- supporting authenticated scanning and risk-based prioritization,
- allowing submission of results for PCI attestation.
Conclusion
PCI DSS 4.0.1 shifts payment security toward continuous compliance and stronger application-layer protection. As attackers increasingly target web applications and APIs, organizations must maintain ongoing visibility, testing, and risk-based decision-making across their application environments. Aligning application security practices with PCI DSS 4.0.1 helps reduce exposure, strengthen payment integrity, and approach QSA assessments with confidence. Qualys TotalAppSec supports this approach by unifying application discovery, testing, monitoring, and contextual risk insight in a single platform.
Ready to see it in action? Start a trial. Existing customers can contact their Technical Account Manager to upgrade from WAS.
Frequently Asked Questions (FAQs)
What Are the New Application Security Requirements in PCI DSS 4.0?
PCI DSS 4.0 introduces enhanced application security requirements, including maintaining an inventory of bespoke software (6.3.2), managing payment page scripts to address e-commerce skimming (6.4.3), ensuring all vulnerabilities—not just critical or high-risk ones—are managed (11.3.1.1), performing authenticated internal vulnerability scans (11.3.1.2), and implementing mechanisms to detect tampering of payment pages (11.6.1). These requirements became mandatory on March 31, 2025.
Why does PCI DSS Place Increased Focus on Web Applications and APIs?
Modern payment environments rely heavily on web applications, APIs, and client-side scripts. Attackers increasingly target these application-layer components through techniques such as web skimming, API abuse, and malicious script injection. PCI DSS 4.0.1 reflects this shift by strengthening the expectations for application security.
What Does “Risk-Based Vulnerability Management” Mean in PCI DSS 4.0.1?
PCI DSS 4.0.1 requires organizations to prioritize vulnerabilities based on contextual risk, rather than solely on CVSS severity.
Does PCI DSS Require Fixing all Vulnerabilities, Regardless of Severity?
No. PCI DSS does not mandate the immediate remediation of every vulnerability. It requires organizations to assess vulnerabilities in context, prioritize based on risk, and provide evidence of a defensible, risk-based remediation approach.
Why is Monitoring Payment Pages and Client-Side Scripts Important?
PCI DSS 4.0.1 includes requirements to detect unauthorized changes to payment pages, including injected or modified scripts. These controls are designed to detect web-skimming attacks early, before cardholder data is compromised.
How does Qualys TotalAppSec Support PCI DSS 4.0.1 Application Security Requirements?
Qualys TotalAppSec helps organizations support PCI DSS 4.0.1 by providing unified visibility across web applications and APIs, continuous application testing, authenticated scanning, contextual risk insights, and monitoring capabilities. These capabilities help teams operationalize application security requirements and maintain evidence of ongoing application security practices.
Does Qualys TotalAppSec Guarantee PCI DSS Compliance?
No. Qualys TotalAppSec does not guarantee compliance. PCI DSS compliance is determined through a combination of people, processes, and controls, and validated by a Qualified Security Assessor (QSA). TotalAppSec helps organizations support and demonstrate application security practices aligned with PCI DSS requirements.
How does TotalAppSec Complement Existing PCI Compliance Tools?
Traditional PCI compliance tools focus on infrastructure and control validation. TotalAppSec complements these tools by addressing the expanded application-layer scope in PCI DSS 4.0.1, including web applications, APIs, and client-side risks.
Contributors
- Shailesh Soni, Director, Product Management, Cloud Agent Platform
- Sheela Serva, Director, Threat Research and Engineering, Web Application Security
- Manoj Jaisinghani, Lead Software Engineer, Threat Research and Engineering, Web Application Security
- JC Newton, Senior Technical Support Engineer
Deixe o seu comentário