{"id":6125,"date":"2025-03-11T09:45:50","date_gmt":"2025-03-11T08:45:50","guid":{"rendered":"https:\/\/pcihispano.com\/?p=6125"},"modified":"2026-05-06T19:14:36","modified_gmt":"2026-05-06T17:14:36","slug":"nuevo-suplemento-informativo-seguridad-en-paginas-de-pago-y-prevencion-de-e-skimming","status":"publish","type":"post","link":"https:\/\/www.pcihispano.com\/en\/nuevo-suplemento-informativo-seguridad-en-paginas-de-pago-y-prevencion-de-e-skimming\/","title":{"rendered":"New information supplement: Security on payment pages and prevention of e-skimming"},"content":{"rendered":"<p><span class=\"intro-text\">The PCI SSC has published a new information supplement (<em>Information Supplement<\/em>) oriented to security on payment pages and prevention of e-skimming attacks as a guide for the implementation of PCI DSS v4.0 controls 6.4.3 and 11.6.1.<\/span><\/p>\n<p>In March 2025 the PCI SSC <a href=\"https:\/\/blog.pcisecuritystandards.org\/new-information-supplement-payment-page-security-and-preventing-e-skimming\" target=\"_blank\" rel=\"noopener\">published<\/a> the Document <a href=\"https:\/\/docs-prv.pcisecuritystandards.org\/PCI%20DSS\/Supporting%20Document\/Guidance-for-PCI-DSS-Requirements-6_4_3-and-11_6_1.pdf\" target=\"_blank\" rel=\"noopener\"><em>Information Supplement: Payment Page Security and Preventing E-Skimming \u2013 Guidance for PCI DSS Requirements 6.4.3 and 11.6.1<\/em><\/a> It explains in more detail the controls for protection against e-skimming attacks. This document is the result of the work of the E-Commerce task forces (<em>E-Commerce Guidance Task Force<\/em>) and small and medium-sized businesses (<em>Small Merchant Business<\/em> <em>Task Force<\/em>), with the support of other equipment such as the <em>Global Executive Assessor Roundtable<\/em> (GEAR). The need to have this information supplement arose from the number of doubts generated after the inclusion of controls 6.4.3 and 11.6.1 in the version of PCI DSS v4.0, whose entry into force will be on April 1, 2025.<\/p>\n<h4>Content and organization of this information supplement<\/h4>\n<p>As we had already advanced in PCI Hispano in the article \u00ab<a href=\"https:\/\/www.pcihispano.com\/en\/implementacion-de-controles-contra-e-skimming-req-6-4-3-y-11-6-1\/\" target=\"_blank\" rel=\"noopener\">Implementation of controls against e-skimming (PCI DSS req. 6.4.3 and 11.6.1)<\/a>\u2018, protection against attacks by <em>e-skimming<\/em>\u00a0 can be implemented using different strategies, but it is very important that all elements required by requirements 6.4.3 and 11.6.1 are covered:<\/p>\n<div class=\"su-note\"  style=\"border-color:#dbdbdb;border-radius:3px;-moz-border-radius:3px;-webkit-border-radius:3px;\"><div class=\"su-note-inner su-u-clearfix su-u-trim\" style=\"background-color:#f5f5f5;border-color:#ffffff;color:#333333;border-radius:3px;-moz-border-radius:3px;-webkit-border-radius:3px;\"><em>6.4.3 All payment page scripts that are loaded and solved in the consumer\u2019s browser are managed as follows:<\/em><br \/>\n<em>\u2022 A method is implemented to confirm that each script is authorized.<\/em><br \/>\n<em>\u2022 A method is implemented to assure the integrity of each script.<\/em><br \/>\n<em>\u2022 An inventory of all scripts is maintained with written business or technical justification as to why each is necessary.<\/em><br \/>\n<\/div><\/div>\n<div class=\"su-note\"  style=\"border-color:#dbdbdb;border-radius:3px;-moz-border-radius:3px;-webkit-border-radius:3px;\"><div class=\"su-note-inner su-u-clearfix su-u-trim\" style=\"background-color:#f5f5f5;border-color:#ffffff;color:#333333;border-radius:3px;-moz-border-radius:3px;-webkit-border-radius:3px;\"><em>11.6.1 A change- and tamper-detection mechanism is controlled as follows:<\/em><br \/>\n<em>\u2022 To alert personnel to compromised modification (including indicators of compromise, changes, additions, and deletions) to the security-impacting HTTP headers and the script contents of payment pages as received by the consumer browser.<\/em><br \/>\n<em>\u2022 The mechanism is designed to evaluate the HTTP headers and payment pages.<\/em><br \/>\n<em>\u2022 The mechanism functions are usually as follows:<\/em><br \/>\n<em>\u2013 At least weekly<\/em><br \/>\n<em>OR<\/em><br \/>\n<em>\u2013 Periodically (at the frequency defined in the entity\u2019s targeted risk analysis, which is defined according to all elements specified in Requirement 12.3.1).<\/em><br \/>\n<\/div><\/div>\n<p><strong>Terminology<\/strong><\/p>\n<p>One of the values provided by this new document is the clarification of concepts and terminology. Finally, the differences between a <strong>page that is not paid<\/strong> (any page that embeds a checkout page and your form fields), a <strong>payment page<\/strong> (a page that may contain one or more elements of a form intended to capture account data or to send that captured data for processing or authorization of the transaction) and a <strong>payment form<\/strong> (form with the fields used to capture the cardholder's account details).\u00a0 Likewise, what is a <strong><em>script<\/em> of a payment page<\/strong> (Javascript, VB Script or WASM components interpreted by the client's browser that can be used for advertising, product selection or security), clarifying that HTML or CSS components cannot be classified as such (as they are not programming languages).<\/p>\n<div id=\"attachment_6143\" style=\"width: 913px\" class=\"wp-caption aligncenter\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-6143\" class=\"wp-image-6143\" src=\"https:\/\/i0.wp.com\/pcihispano.com\/wp-content\/uploads\/2025\/03\/payment_page.png?resize=900%2C506&#038;ssl=1\" alt=\"\" width=\"900\" height=\"506\" srcset=\"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2025\/03\/payment_page.png?w=1280&amp;ssl=1 1280w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2025\/03\/payment_page.png?resize=300%2C169&amp;ssl=1 300w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2025\/03\/payment_page.png?resize=1024%2C576&amp;ssl=1 1024w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2025\/03\/payment_page.png?resize=768%2C432&amp;ssl=1 768w\" sizes=\"auto, (max-width: 900px) 100vw, 900px\" \/><p id=\"caption-attachment-6143\" class=\"wp-caption-text\">Graphical description of a payment page and its components. Source: John Elliot \u2013 https:\/\/pcirocks.substack.com\/p\/what-exactly-is-a-payment-page<\/p><\/div>\n<div id=\"attachment_6145\" style=\"width: 858px\" class=\"wp-caption aligncenter\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-6145\" class=\"wp-image-6145\" src=\"https:\/\/i0.wp.com\/pcihispano.com\/wp-content\/uploads\/2025\/03\/iframes.png?resize=848%2C443&#038;ssl=1\" alt=\"\" width=\"848\" height=\"443\" srcset=\"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2025\/03\/iframes.png?w=1021&amp;ssl=1 1021w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2025\/03\/iframes.png?resize=300%2C157&amp;ssl=1 300w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2025\/03\/iframes.png?resize=768%2C402&amp;ssl=1 768w\" sizes=\"auto, (max-width: 848px) 100vw, 848px\" \/><p id=\"caption-attachment-6145\" class=\"wp-caption-text\">Using iframes on a checkout page. Note the similarity of this graph of the information supplement with that published by John Elliot<\/p><\/div>\n<p>Also, here are some examples of HTTP headers that can impact the security of a payment page and that must be configured\/monitored:<\/p>\n<ul>\n<li><em>Content Security Policy (CSP)<\/em><\/li>\n<li><em>X-Frame-Options (protection against clickjacking)<\/em><\/li>\n<li><em>Strict Transport Security (HSTS)<\/em><\/li>\n<li><em>X-XSS-Protection (XSS Filter)<\/em><\/li>\n<li><em>X-Content-Type-Options (prevent MIME sniffing)<\/em><\/li>\n<li><em>Set-Cookie<\/em><\/li>\n<\/ul>\n<p><strong>Scripts<\/strong><\/p>\n<p>It is clarified that the <em>scripts<\/em> can be loaded from a server controlled by the entity (<em>first-party servers<\/em>) or from a third party (<em>third-party servers<\/em>) which, in turn, can load them from other suppliers (<em>four-party servers<\/em>).<\/p>\n<p>On the other hand, the two types of attacks that can compromise active content are explained: <strong>supply chain attacks<\/strong> (where the attacker compromises <em>scripts<\/em> from third parties who are uploaded on the trade page) or <strong>script injection attacks<\/strong> (where the attacker injects <em>scripts<\/em> modified and unauthorized on the payment page to exfiltrate sensitive data).<\/p>\n<p>Once the <em>script<\/em> is injected, can work in a <strong>silent<\/strong> (capturing the data covertly without raising suspicion) or asking for the <strong>data entry twice<\/strong> (one where the <em>script<\/em> captures the data and exfiltrates it and another where it is recaptured to send it to the normal flow of operation).<\/p>\n<p><strong>Payment Page Scenarios<\/strong><\/p>\n<p>This section reminds us of that famous Visa document from 2014 (<a href=\"https:\/\/pcihispano.com\/wp-content\/uploads\/2025\/03\/processing-e-commerce-payments-guide.pdf\" target=\"_blank\" rel=\"noopener\">Processing e-commerce payments<\/a>) where the different payment page scenarios were categorised. However: in 2025 this has not changed much and the categorisation remains similar:<\/p>\n<ul>\n<li>Payment forms hosted by the merchant, including <em>Merchant-Posted Payment<\/em> y <em>Direct-Post Payment<\/em>.<\/li>\n<li>Embedded payment forms (<em>iframes<\/em>)<\/li>\n<li>Redirection<\/li>\n<li>Full delegation (<em>fully outsourced<\/em>)<\/li>\n<\/ul>\n<p>Based on this categorization are established <strong>responsibilities for the implementation of controls by the trade and its suppliers<\/strong>:<\/p>\n<div id=\"attachment_6134\" style=\"width: 792px\" class=\"wp-caption aligncenter\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-6134\" class=\"wp-image-6134\" src=\"https:\/\/i0.wp.com\/pcihispano.com\/wp-content\/uploads\/2025\/03\/aplicability.png?resize=782%2C359&#038;ssl=1\" alt=\"\" width=\"782\" height=\"359\" srcset=\"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2025\/03\/aplicability.png?w=1026&amp;ssl=1 1026w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2025\/03\/aplicability.png?resize=300%2C138&amp;ssl=1 300w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2025\/03\/aplicability.png?resize=1024%2C470&amp;ssl=1 1024w, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2025\/03\/aplicability.png?resize=768%2C353&amp;ssl=1 768w\" sizes=\"auto, (max-width: 782px) 100vw, 782px\" \/><p id=\"caption-attachment-6134\" class=\"wp-caption-text\">Applicability and responsibility of controls 6.4.3 and 11.6.1<\/p><\/div>\n<p>Additional clarifications related to the PCI DSS SAQ A applicability criteria already discussed in PCI Hispano are also included (<a href=\"https:\/\/www.pcihispano.com\/en\/cambios-en-el-saq-a-de-pci-dss-enero-2025\/\" target=\"_blank\" rel=\"noopener\">Changes in SAQ A of PCI DSS v4.0.1<\/a>).<\/p>\n<p><strong>Best practices for minimizing the risks of using <em>scripts<\/em> from third parties<\/strong><\/p>\n<p>This document also includes a list of best practices to minimize the risk in the use of scripts provided by third parties, including:<\/p>\n<ul>\n<li>Minimize the number of <em>scripts<\/em> to the strictly necessary<\/li>\n<li>Move the <em>scripts<\/em> to isolated iframes<\/li>\n<li>Limit the sources of <em>scripts<\/em><\/li>\n<li>Understand the behavior of scripts, and<\/li>\n<li>Execute technical security validations periodically or continuously (code review, behavior analysis and \/ or monitoring at runtime)<\/li>\n<\/ul>\n<p><strong>Controls and techniques to meet requirements 6.4.3 and 11.6.1<\/strong><\/p>\n<p>As already advanced in <a href=\"https:\/\/www.pcihispano.com\/en\/implementacion-de-controles-contra-e-skimming-req-6-4-3-y-11-6-1\/\" target=\"_blank\" rel=\"noopener\">PCI Hispano<\/a>, there are several techniques to implement the security controls required by these requirements.<\/p>\n<ul>\n<li><em>Content Security Policy<\/em> (CSP) and <em>Sub-resource Integrity<\/em> (NIS)<\/li>\n<li>Monitoring of web pages without agents (<em>agentless<\/em>) or with agents<\/li>\n<li>Use of proxies<\/li>\n<\/ul>\n<p><strong>Evidence of compliance and best practices<\/strong><\/p>\n<p>And finally, the document includes a series of best practices for service providers and businesses as well as a guide for advisors and entities about the evidence necessary to demonstrate the correct implementation of the controls.<\/p>\n<h4>Conclusion<\/h4>\n<p>This information supplement was something that had been waiting for a long time. Requirements 6.4.3 and 11.6.1, being new to PCI DSS, did not have sufficient documentation and implementation experience as it does with other more \"traditional\" controls such as anti-malware solutions, firewalls, intrusion detection\/prevention systems or file integrity monitoring.\u00a0 For that reason, the indications, suggestions and best practices in the industry, centralized by the PCI SSC in these documents, become an indispensable tool to avoid problems derived from misinterpretations of the controls or partial implementation of solutions that can lead to a false sense of security and expose the entity to incidents.<\/p>\n<p>From PCI Hispano we recommend reading the article <em><a href=\"https:\/\/pcirocks.substack.com\/p\/what-exactly-is-a-payment-page\" target=\"_blank\" rel=\"noopener\">What exactly is a Payment Page?<\/a><\/em> from <a href=\"https:\/\/johnelliott.eu\/\" target=\"_blank\" rel=\"noopener\">John Elliot<\/a>, probably one of the most knowledgeable people in this field, who explained these concepts in 2023 and much of his work was included in this new information supplement.<\/p>\n<p><iframe loading=\"lazy\" title=\"[Webinar] Understanding the New PCI DSS Requirements to Prevent E-commerce Skimming Attacks\" width=\"900\" height=\"506\" src=\"https:\/\/www.youtube.com\/embed\/XVUspnZnJFg?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe><\/p>","protected":false},"excerpt":{"rendered":"<p>The PCI SSC has published a new Information Supplement aimed at security in payment pages and prevention of e-skimming attacks as a guide for the implementation of controls 6.4.3 and 11.6.1 of PCI DSS v4.0. [\u2026]<\/p>","protected":false},"author":2,"featured_media":6126,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_feature_clip_id":0,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_post_was_ever_published":false},"categories":[54,354],"tags":[272,271,157,299,288,301,300,277,279,297,285,298],"class_list":["post-6125","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-noticias","category-pcidss","tag-11-6-1","tag-6-4-3","tag-csp","tag-css","tag-e-skimming","tag-form","tag-iframe","tag-javascript","tag-proxy","tag-script","tag-sri","tag-vbscript"],"jetpack_featured_media_url":"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2025\/03\/pexels-mikhail-nilov-6969654-scaled.jpg?fit=2560%2C1707&ssl=1","jetpack-related-posts":[{"id":5560,"url":"https:\/\/www.pcihispano.com\/en\/cambios-en-el-saq-a-de-pci-dss-enero-2025\/","url_meta":{"origin":6125,"position":0},"title":"Cambios en el SAQ A de PCI DSS v4.0.1","author":"David Acosta","date":"enero 31, 2025","format":false,"excerpt":"Como parte de los esfuerzos para lograr balancear seguridad y cumplimiento, el PCI SSC anunci\u00f3 el 30 de enero de 2025 que los controles relacionados con la seguridad de p\u00e1ginas de pago (6.4.3 y 11.6.1) ser\u00e1n removidos del Cuestionario de Autoevaluaci\u00f3n A (Self-Assessment Questionnaire - SAQ A), orientado a comercios.\u2026","rel":"","context":"In &quot;Noticias&quot;","block_context":{"text":"Noticias","link":"https:\/\/www.pcihispano.com\/en\/category\/noticias\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2025\/01\/SAQ-A.png?fit=1000%2C552&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2025\/01\/SAQ-A.png?fit=1000%2C552&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2025\/01\/SAQ-A.png?fit=1000%2C552&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2025\/01\/SAQ-A.png?fit=1000%2C552&ssl=1&resize=700%2C400 2x"},"classes":[]},{"id":391,"url":"https:\/\/www.pcihispano.com\/en\/analisis-de-pci-dss-v4-0-parte-vi-requerimientos-10-y-11\/","url_meta":{"origin":6125,"position":1},"title":"An\u00e1lisis de PCI DSS v4.0 Parte VI: Requerimientos 10 y 11","author":"David Acosta","date":"septiembre 15, 2022","format":false,"excerpt":"En esta sexta entrega de la serie \u201cAn\u00e1lisis de PCI DSS v4.0\u201d se analizar\u00e1n los requerimientos 10 y 11 del est\u00e1ndar PCI DSS v4.0. Estos requerimientos hacen parte del grupo 5. Regularly Monitor and Test Networks, que continua con el mismo nombre de la versi\u00f3n 3.2.1 del est\u00e1ndar. El objetivo\u2026","rel":"","context":"In &quot;An\u00e1lisis de PCI DSS v4.0&quot;","block_context":{"text":"An\u00e1lisis de PCI DSS v4.0","link":"https:\/\/www.pcihispano.com\/en\/category\/pci-dss-4-0\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/09\/Parte6.png?fit=1200%2C672&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/09\/Parte6.png?fit=1200%2C672&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/09\/Parte6.png?fit=1200%2C672&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/09\/Parte6.png?fit=1200%2C672&ssl=1&resize=700%2C400 2x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2022\/09\/Parte6.png?fit=1200%2C672&ssl=1&resize=1050%2C600 3x"},"classes":[]},{"id":3501,"url":"https:\/\/www.pcihispano.com\/en\/nueva-version-de-pci-dss-4-0-1\/","url_meta":{"origin":6125,"position":2},"title":"Nueva versi\u00f3n de PCI DSS: 4.0.1","author":"David Acosta","date":"junio 12, 2024","format":false,"excerpt":"El 11 de junio de 2024 el PCI SSC public\u00f3 la versi\u00f3n 4.0.1 del est\u00e1ndar PCI DSS, que remplaza a la versi\u00f3n 4.0 publicada en marzo de 2022 Esta nueva versi\u00f3n contiene revisiones menores, correcciones tipogr\u00e1ficas y de formato y aclaraciones sin a\u00f1adir o remover requerimientos de la versi\u00f3n 4.0.\u2026","rel":"","context":"In &quot;Noticias&quot;","block_context":{"text":"Noticias","link":"https:\/\/www.pcihispano.com\/en\/category\/noticias\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2024\/06\/PCI_DSS_v4.0.1.png?fit=1200%2C762&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2024\/06\/PCI_DSS_v4.0.1.png?fit=1200%2C762&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2024\/06\/PCI_DSS_v4.0.1.png?fit=1200%2C762&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2024\/06\/PCI_DSS_v4.0.1.png?fit=1200%2C762&ssl=1&resize=700%2C400 2x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2024\/06\/PCI_DSS_v4.0.1.png?fit=1200%2C762&ssl=1&resize=1050%2C600 3x"},"classes":[]},{"id":1842,"url":"https:\/\/www.pcihispano.com\/en\/el-pci-ssc-publica-el-documento-targeted-risk-analysis-tra-guidance-para-pci-dss-v4-x\/","url_meta":{"origin":6125,"position":3},"title":"El PCI SSC publica el documento \u00abTargeted Risk Analysis (TRA) Guidance\u00bb para PCI DSS v4.x","author":"David Acosta","date":"noviembre 30, 2023","format":false,"excerpt":"En noviembre de 2023 el PCI SSC public\u00f3 una nueva gu\u00eda para soportar las actividades requeridas en PCI DSS v4.x. En esta ocasi\u00f3n, se trata del documento PCI DSS v4.x Targeted Risk Analysis Guidance (An\u00e1lisis de Riesgo Dirigido, de acuerdo con la traducci\u00f3n oficial del est\u00e1ndar), que brinda las pautas\u2026","rel":"","context":"In &quot;Noticias&quot;","block_context":{"text":"Noticias","link":"https:\/\/www.pcihispano.com\/en\/category\/noticias\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2023\/11\/TRA_Intro.png?fit=1200%2C671&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2023\/11\/TRA_Intro.png?fit=1200%2C671&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2023\/11\/TRA_Intro.png?fit=1200%2C671&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2023\/11\/TRA_Intro.png?fit=1200%2C671&ssl=1&resize=700%2C400 2x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2023\/11\/TRA_Intro.png?fit=1200%2C671&ssl=1&resize=1050%2C600 3x"},"classes":[]},{"id":4508,"url":"https:\/\/www.pcihispano.com\/en\/cinco-puntos-clave-del-nuevo-documento-para-la-definicion-de-alcance-y-segmentacion-en-arquitecturas-de-red-modernas\/","url_meta":{"origin":6125,"position":4},"title":"5 puntos clave del documento para la definici\u00f3n de alcance y segmentaci\u00f3n en arquitecturas de red modernas","author":"David Acosta","date":"septiembre 19, 2024","format":false,"excerpt":"En septiembre de 2025 el PCI SSC public\u00f3 un nuevo suplemento informativo para la definici\u00f3n del alcance y segmentaci\u00f3n en arquitecturas de red modernas (Information Supplement - PCI DSS Scoping and Segmentation Guidance for Modern Network Architectures). En este art\u00edculo analizamos los cinco puntos clave de ese nuevo documento y\u2026","rel":"","context":"In &quot;Contenido general&quot;","block_context":{"text":"Contenido general","link":"https:\/\/www.pcihispano.com\/en\/category\/contenido\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2024\/09\/cloud2.png?fit=1200%2C675&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2024\/09\/cloud2.png?fit=1200%2C675&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2024\/09\/cloud2.png?fit=1200%2C675&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2024\/09\/cloud2.png?fit=1200%2C675&ssl=1&resize=700%2C400 2x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2024\/09\/cloud2.png?fit=1200%2C675&ssl=1&resize=1050%2C600 3x"},"classes":[]},{"id":5883,"url":"https:\/\/www.pcihispano.com\/en\/implementacion-de-controles-contra-e-skimming-req-6-4-3-y-11-6-1\/","url_meta":{"origin":6125,"position":5},"title":"Implementaci\u00f3n de controles contra e-skimming (PCI DSS req. 6.4.3 y 11.6.1)","author":"David Acosta","date":"febrero 26, 2025","format":false,"excerpt":"Uno de los controles estrella que incorpor\u00f3 la versi\u00f3n 4.0 de PCI DSS fue la protecci\u00f3n contra ataques de e-skimming a trav\u00e9s de los requisitos 6.4.3 y 11.6.1. Este control fue la respuesta del PCI SSC ante la masificaci\u00f3n de este tipo de ataques en a\u00f1os anteriores. En este art\u00edculo\u2026","rel":"","context":"In &quot;Contenido general&quot;","block_context":{"text":"Contenido general","link":"https:\/\/www.pcihispano.com\/en\/category\/contenido\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2025\/02\/code.png?fit=1200%2C674&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2025\/02\/code.png?fit=1200%2C674&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2025\/02\/code.png?fit=1200%2C674&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2025\/02\/code.png?fit=1200%2C674&ssl=1&resize=700%2C400 2x, https:\/\/i0.wp.com\/www.pcihispano.com\/wp-content\/uploads\/2025\/02\/code.png?fit=1200%2C674&ssl=1&resize=1050%2C600 3x"},"classes":[]}],"jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.pcihispano.com\/en\/wp-json\/wp\/v2\/posts\/6125","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.pcihispano.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.pcihispano.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.pcihispano.com\/en\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.pcihispano.com\/en\/wp-json\/wp\/v2\/comments?post=6125"}],"version-history":[{"count":1,"href":"https:\/\/www.pcihispano.com\/en\/wp-json\/wp\/v2\/posts\/6125\/revisions"}],"predecessor-version":[{"id":11696,"href":"https:\/\/www.pcihispano.com\/en\/wp-json\/wp\/v2\/posts\/6125\/revisions\/11696"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.pcihispano.com\/en\/wp-json\/wp\/v2\/media\/6126"}],"wp:attachment":[{"href":"https:\/\/www.pcihispano.com\/en\/wp-json\/wp\/v2\/media?parent=6125"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.pcihispano.com\/en\/wp-json\/wp\/v2\/categories?post=6125"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.pcihispano.com\/en\/wp-json\/wp\/v2\/tags?post=6125"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}