Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

To address stakeholder feedback and questions received since PCI DSS v4.0 was published, the PCI Security Standards Council (PCI SSC) has published a limited revision to the standard, PCI DSS v4.0.1. It includes corrections to formatting and typographical errors and clarifies the focus and intent of some of the requirements and guidance. There are no additional or deleted requirements in this revision.

As of March 31, 2025, full enforcement of the PCI DSS 4.0 guidelines is now in effect. This latest version introduces critical updates that strengthen payment card data security across digital environments. Among the most notable changes are requirements that target client-side security, an area that has been largely overlooked until now.

Google Analytics 4 (GA4) is not designed to comply with HIPAA — and using it on healthcare websites may expose Protected Health Information (PHI) to third parties.

Third-party pixels are snippets of JavaScript embedded on healthcare websites to track user behavior — but they can unintentionally transmit PHI (Protected Health Information) to unauthorized recipients like Meta, Google, and others. Common pixel-triggered compliance issues include: Recent lawsuits and regulatory crackdowns (including FTC enforcement and OCR guidance) have made it clear: tracking technologies on healthcare websites can constitute a HIPAA breach.

In 2025, HIPAA enforcement has expanded beyond internal systems and EHRs to include what happens in users’ browsers. That means even seemingly harmless scripts — like ad pixels or analytics tags — can expose protected health information (PHI).

Infostealers don’t behave like traditional malware. They work silently in the browser — the client side — harvesting saved passwords, session tokens, credit card data, and more. Attackers use common browser behaviors (JavaScript execution, third-party scripts, DOM manipulations) to: These threats often bypass traditional server-side or endpoint protection, making them invisible to most security tools unless you’re monitoring the browser itself.

Financial services firms operate in a high-risk environment where personal and financial data converge — and errors are expensive. Despite robust back-end controls, many still: GDPR’s complexity — 99 articles and multiple regional interpretations — creates audit friction even for mature teams.

Because PCI DSS 4.0 shifts focus to client-side risk, payment pages — especially those using JavaScript, third-party scripts, or marketing tags — are under increased scrutiny. Even if your backend is secure, what happens in the browser can expose cardholder data or create audit failure risk.

Pixel tracking violations have cost U.S. healthcare providers over $100 million in fines, exposing critical gaps in HIPAA compliance and patient data privacy. Failures included missing risk assessments, no consent, and weak vendor oversight.

Protecting client-side web applications and websites is a critical goal shared by both the application development and cybersecurity teams. Web application vulnerabilities are among the most common attack vectors. However, there’s still confusion over who owns client-side security: As application security shifts left, the answer is: both teams must collaborate.