Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Guide for Payment Processors SAQ D begins with a major challenge in today’s digital payment landscape. Payment processors must secure payment pages across thousands of merchant websites, far beyond managing a single payment system. Let’s put this in perspective: Real-world example: A payment processor with 10,000 merchants needs to monitor approximately 30,000 payment pages daily. That’s 30,000 potential points of vulnerability requiring constant surveillance.

Washington, D.C. – U.S. lawmakers announced a bill to ban DeepSeek, the Chinese AI chatbot app, from government devices following a security analysis by Feroot Security that revealed alarming privacy and national security risks. The research suggests that DeepSeek collects user data, including digital fingerprints, login credentials, and behavioral information, potentially sending it to servers tied to the Chinese government.

Compliance for Payment Providers SAQ D presents unique challenges due to their distributed business model. With payment pages, iframes, and forms embedded across thousands of merchant websites, ensuring consistent security and maintaining PCI DSS 4.0.1 compliance requires sophisticated solutions and strategies.

ABC Good Morning America featured an exclusive report this morning highlighting Feroot’s discovery of concerning code within DeepSeek’s AI platform. Feroot, a leading cybersecurity firm, uncovered hidden capabilities enabling direct data transmission from DeepSeek to China Mobile servers.

Researchers at Feroot Security have identified computer code within the web-based version of DeepSeek’s AI chatbot that could potentially send user login information to China Mobile, a Chinese state-owned telecommunications company. This discovery raises significant privacy and national security concerns, particularly as China Mobile has been barred from operating in the United States due to its alleged ties with the Chinese government and military.

Are you an SAQ A merchant figuring out if or how the PCI DSS 4 update applies to you? Let’s break it down in simple terms before you talk to your QSA and ISA.

AI training data has become a major concern as DeepSeek reached the top spot on the App Store, sparking debates about data privacy and national security. In a timely CNBC interview amid the DeepSeek controversy, Feroot Security CEO Ivan Tsarynny highlighted the critical intersection of data collection, AI development, and security risks. He emphasized how the data collected through apps plays a crucial role in AI advancements, raising further concerns about digital privacy.

PCI DSS Compliance for SAQ-D Service Providers and Merchants is more critical than ever. Despite widespread awareness of the updated requirements, ot appears that over 90% of service providers remain unaware that they must implement new technical measures for the iFrames (with payment functions loaded) on their customers’ payment pages to meet Requirements 6.4.3 and 11.6.1.

PCI DSS 4 introduces new requirements for SAQ-A and SAQ-A-EP Merchants. Key new changes are Requirements 6.4.3 and 11.6.1. While these requirements play a crucial role in preventing and detecting e-commerce skimming attacks they also require merchants to implement and operate new technical capabilities on payment webpages. Requirements 6.4.3 and 11.6.1 apply to all scripts executed in a consumer’s browser on payment pages, defined as web-based interfaces that capture or submit account data.

SAQ A-EP is a key focus of the Payment Card Industry Data Security Standard (PCI DSS) version 4, which introduces changes affecting merchants. Designed for e-commerce merchants who partially outsource their payment processing but have website elements impacting transaction security, SAQ A-EP ensures compliance with these updated requirements. This article clarifies these changes and outlines the top 5 actions SAQ A-EP merchants should take before March 31, 2025.