Microform v2 Updates to Meet PCI DSS 4.0.1 requirements
KA-07551
4
12/23/2024 19:36 PM
1.0
Overview
Microform v2 is being upgraded to comply with the new Payment Card Industry Data Security Standard guidelines (PCI DSS 4.0.1), specifically requirement 6.4.3. PCI DSS is a widely accepted set of policies and procedures intended to optimize the security of credit, debit and cash card transactions. This update is designed to improve security for payment card transactions, safeguarding sensitive information, maintaining trust in electronic payment systems, and reducing the likelihood of a data breach.
What action is required?
If you are using Microform v2; to comply with the new regulations, you will need to:
Update how you load the Microform JavaScript library on your page by implementing Sub-resource Integrity (SRI) Validation in your HTML before April 1, 2025.
Updates required for those currently using Microform v2:
If currently integrated with Microform v2 the main change is within the client-side setup. You need to change how you are loading the Microform JavaScript library as follows:
a. Add the Microform JavaScript library to your page by dynamically loading it on the front-end.
b. Decode the JWT from your /sessions response (capture context).
c. Use the “clientLibrary” and “clientLibraryIntegrity” values to create your script tags. Ensure that you do this for every transaction as these values can be unique per transaction.
d. Ensure that you do NOT hard code these values, as doing so can lead to Microform front end errors.
Current Integration Microform v2
|
|
After migration to new version of Microform v2
|
|
Important Note:
Merchants who are incorrectly hardcoding the client library value for Microform integration, or using inconsistent versions for different API calls—such as retrieving assets with v2 and making token requests with v1 or v0.11—risk causing their integration to break.
To avoid this issue, please ensure you update your Microform integration as follows:
- Ensure you are using the latest version of Microform and referencing "clientVersion": 'v2' in the /sessions request.
- Dynamically load the Microform JavaScript library on the front-end:
- Decode the JWT from your /sessions response (capture context).
- Use the clientLibrary and clientLibraryIntegrity values to create your script tags dynamically for each transaction.
- Avoid hard-coding these values to prevent Microform front-end errors.
Example:
/sessions Response:
"data": { "clientLibrary": "[EXTRACT clientLibrary VALUE from here]", "clientLibraryIntegrity": "[EXTRACT clientLibraryIntegrity VALUE from here]"}
Script Tags:
<script src="[INSERT clientLibrary VALUE HERE]" integrity="[INSERT clientLibraryIntegrity VALUE HERE]" crossorigin="anonymous"></script>
Resources
PCI DSS Summary of Changes: v4.0.1:
Microform V2 documentation:
List of card types:
https://developer.cybersource.com/docs/cybs/en-us/payments/developer/ctv/rest/payments/payments-intro/payments-intro-cards-types.html
Q&A
What is PCI DSS?
See https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0_1.pdf
How do I know what version of Microform I am using?
For Microform v2, the current version of Microform that you are currently using will be specified in the clientVersion field within the Generate Capture Context request. For example:
{"clientVersion": "v2",
"targetOrigins": ["https://www.example.com"],
"allowedCardNetworks": ["VISA"]
}
The type property will be returned in the transient token response e.g. "type": "mf-2.0.0"
If I am currently using Microform v1 or lower, can I continue to use this version and continue to be PCI DSS Compliant?
If integrated with Microform v1 or lower you will NOT be able to avail of the SRI value feature and will no longer be PCI-DSS compliant from April 1, 2025. To avail of the SRI value and remain PCI-DSS compliant you will need to migrate from older versions of the product to Microform v2.
Microform v1 and lower will be deprecated and reach end of life by July 1st 2025. From this point on, your integration with Microform v0.4 or lower, v0.11 or v1 will no longer work.
What type of transactions does this impact?
This feature impacts all transactions processed through Microform.
Is this a backwards breaking change?
Your existing Microform integration will continue to work as normal, however in order to remain PCI DSS compliant you must upgrade to Microform v2 by April 1, 2025.
Microform v1 and lower will be deprecated and reach end of life by July 1st 2025.
Regardless of what version of Microform you are currently using you will need to change how you are loading the Microform JavaScript library as follows:
Add the Microform JavaScript library to your page by dynamically loading it on the front-end.
Decode the JWT from your /sessions response (capture context).
Use the “clientLibrary” and “clientLibraryIntegrity” values to create your script tags.
Ensure that you do this for every transaction as these values can be unique per transaction. Ensure that you d
o NOT hard code these values, as doing so can lead to Microform front end errors.
I already use Microform v2, do I need to do anything to remain PCI DSS Compliant?
Yes – you will need to implement SRI Validation in your HTML, leveraging the client library integrity hash returned in the sessions response.
Was this article helpful?