Pass PCI DSS v4.0.1
and survive Black Friday.

Yes — meaningfully. v4.0.1 became the only supported version on 31 March 2024, with the future-dated requirements becoming mandatory on 31 March 2025. The new requirements that catch retailers off guard are 6.4.3 (script-management on payment pages — every script served on the payment page has to be inventoried, justified, integrity-checked), 11.6.1 (change-and-tamper-detection for payment-page HTTP headers and script content), 8.3.6 (12-character minimum, alphanumeric and special-character passwords), 8.4.2 (MFA for all access into the cardholder-data environment, not just remote and admin), 12.3.1 (formal targeted-risk-analysis methodology for any control where v4 allows a customised approach) and the expanded segmentation-test cadence under 11.4.5. The AxVeil pentest is run against v4.0.1 with the new-requirement appendix mapped per finding.

Two engagements, not one. The functional pentest runs in Q2 / Q3 against staging plus a controlled subset of production, with the report and remediation cycle landing before code freeze in early October. A separate load-resilience and ATO-defence review runs four weeks before peak — credential-stuffing simulation against the login and account-recovery surfaces, bot-management bypass testing, shopping-cart abuse, checkout-flow rate-limit verification, CDN and WAF rule-set review under representative peak-traffic volumes. Code-freeze starts mid-October for most retailers; the second engagement validates that the freeze actually holds.

PCI DSS 6.4.3 and 11.6.1 are the regulator-mandated answer: a managed allow-list of every script served on the payment page, Subresource Integrity (SRI) hashes pinned per script, a tamper-detection control that compares the served payment-page headers and script content against a known-good baseline on a defined cadence and alerts on drift. Operationally that means inventorying every analytics tag, chat widget, A/B-testing snippet and tag-manager container running on the payment URL, justifying business need per script, and either self-hosting the script with SRI or accepting a third-party with a documented assurance position. The AxVeil engagement runs the inventory, exercises the tamper-detection coverage, and tests the payment page against the current generation of Magecart variants.

Three layers tested in the engagement. First, the login and account-recovery surfaces themselves — rate limiting per IP, per username, per device-fingerprint, per ASN, plus MFA enrolment friction on suspicious sessions. Second, the bot-management layer — Akamai, Cloudflare, DataDome, HUMAN, Imperva, Kasada, PerimeterX — exercised against the modern bypass kit (residential-proxy networks, headless-browser fingerprint randomisation, CAPTCHA-solving APIs, mobile-app reverse-engineered tokens). Third, the downstream blast radius — gift-card balance enumeration, loyalty-points transfer, stored-payment-method abuse, fraud-rule misconfiguration. The OWASP Automated Threat Handbook (OAT-008 credential stuffing, OAT-007 credential cracking, OAT-021 denial of inventory) is the structural reference.

EU GDPR for any EU resident shopper, with the EDPB cookie-banner and consent guidance landing on the marketing tag stack. UK GDPR plus the Data Protection Act 2018 for UK shoppers. CCPA / CPRA for California shoppers and, increasingly, the parallel state regimes (Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA, Texas TDPSA). India DPDP Act 2023 plus the 2025 Rules for any Indian-resident shopper. The engagement maps every data-handling finding to the applicable regime; the deliverable includes a cross-border-transfer review of the analytics and ad-tech tag stack, which is where most retailers actually fail.