Upgrading Microform v2 for PCI DSS 4.0.1 Compliance
KA-07551
20
05/15/2026 17:15 PM
2.0
Upgrading Microform v2 for PCI DSS 4.0.1 Compliance
Introduction
This article explains the required Microform v2 upgrade to comply with Payment Card Industry Data Security Standard (PCI DSS) 4.0.1, specifically requirement 6.4.3. The upgrade introduces Sub-resource Integrity (SRI) Validation when loading the Microform JavaScript library, improving the security of payment card transactions, safeguarding sensitive information, maintaining trust in electronic payment systems, and reducing the likelihood of a data breach.
This content is intended for internal support agents assisting merchants who have integrated with Microform. It applies to all transactions processed through Microform, regardless of region or card network configuration.
Comprehensive Overview
PCI DSS is a widely accepted set of policies and procedures intended to optimize the security of credit, debit, and cash card transactions. Requirement 6.4.3 in PCI DSS 4.0.1 introduces controls around how externally loaded scripts are validated on payment pages.
To comply, the merchant integration must change how the Microform JavaScript library is loaded. Instead of referencing a static, hardcoded library URL, the integration must dynamically load the library using the clientLibrary and clientLibraryIntegrity values returned in the capture context (JWT) from the /sessions response. These values can be unique per transaction and must not be hardcoded.
Integration Comparison
| Integration State | Script Tag |
|---|---|
| Current Integration Microform v2 | <script src="https://flex.cybersource.com/cybersource/microform/bundle/v2/flex-microform.min.js"></script> |
| After migration to new version of Microform v2 | <script src="[Insert clientLibrary value here]" integrity="[Insert clientLibraryIntegrity value here]" crossorigin="anonymous"></script> |
Step-by-Step Procedures
Use the following procedure to update an existing Microform v2 client-side integration so it complies with PCI DSS 4.0.1.
1. Set up the client side for dynamic loading.
a. Add the Microform JavaScript library to the page by dynamically loading it on the front-end.
b. Decode the JWT from the /sessions response to capture context.
c. Use the clientLibrary and clientLibraryIntegrity values to create the script tags. Repeat this for every transaction because these values can be unique per transaction.
d. Avoid hardcoding the clientLibrary and clientLibraryIntegrity values, because hardcoding can lead to Microform front-end errors.
2. Confirm the correct Microform version is in use.
a. Verify that "clientVersion": "v2" is referenced in the /sessions request.
b. Verify the transient token response returns a type property such as "type": "mf-2.0.0".
3. Validate consistency across API calls.
a. Confirm the same Microform version is used for asset retrieval and token requests. Mixing versions, such as retrieving assets with v2 and making token requests with v1 or v0.11, can break the integration.
4. Construct the new script tag.
a. Extract the clientLibrary and clientLibraryIntegrity values from the /sessions response data:
"data": { "clientLibrary": "[EXTRACT clientLibrary VALUE]", "clientLibraryIntegrity": "[EXTRACT clientLibraryIntegrity VALUE]" }
b. Insert these values into the script tag dynamically:
<script src="[INSERT clientLibrary VALUE]" integrity="[INSERT clientLibraryIntegrity VALUE]" crossorigin="anonymous"></script>
5. Test the updated integration.
a. Run a transaction end-to-end to confirm the Microform library loads correctly and the SRI hash validates successfully.
b. Confirm no Microform front-end errors occur.
6. Complete the migration before the deadline.
a. Implement the SRI Validation update before April 1, 2025 to remain PCI DSS compliant.
Potential Client Questions and Resolutions
- What is PCI DSS?
- PCI DSS is a widely accepted set of policies and procedures intended to optimize the security of credit, debit, and cash card transactions. Refer to the official PCI DSS v4.0.1 standard for the full definition: https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0_1.pdf
- How do I know what version of Microform I am using?
- For Microform v2, the version is specified in the clientVersion field within the Generate Capture Context request. Example:
{"clientVersion": "v2", "targetOrigins": ["https://www.example.com"], "allowedCardNetworks": ["VISA"]}. The type property is also returned in the transient token response, for example"type": "mf-2.0.0".
- For Microform v2, the version is specified in the clientVersion field within the Generate Capture Context request. Example:
- If I am currently using Microform v1 or lower, can I continue to use this version and remain PCI DSS compliant?
- No. Integrations on Microform v1 or lower cannot leverage the SRI value feature and will no longer be PCI DSS compliant from April 1, 2025. Migration to Microform v2 is required to access the SRI value and remain compliant. Microform v1 and lower will be deprecated and reach end of life on October 1, 2025. After that date, integrations using Microform v0.4 or lower, v0.11, or v1 will no longer work.
- What type of transactions does this impact?
- This feature impacts all transactions processed through Microform.
- Is this a backwards breaking change?
- Existing Microform integrations continue to work as normal. However, to remain PCI DSS compliant, the integration must be upgraded to Microform v2 by April 1, 2025. Regardless of the current Microform version, the JavaScript library must be loaded dynamically using the clientLibrary and clientLibraryIntegrity values from the /sessions response, and these values must not be hardcoded.
- I already use Microform v2. Do I need to do anything to remain PCI DSS compliant?
- Yes. Implement SRI Validation in the HTML by leveraging the client library integrity hash returned in the /sessions response.
Examples and Use Cases
Use Case 1: Merchant Hardcoding the Client Library Value
- Context: A merchant has hardcoded the clientLibrary value into their HTML for Microform integration.
- Expected Outcome: Microform front-end errors occur and the integration risks breaking.
- Support Agent Actions: Direct the merchant to dynamically load the library on the front-end. Confirm they decode the JWT from the /sessions response and use the clientLibrary and clientLibraryIntegrity values to construct script tags per transaction.
Use Case 2: Merchant Using Inconsistent Microform Versions Across API Calls
- Context: A merchant retrieves assets using v2 but makes token requests with v1 or v0.11.
- Expected Outcome: The integration breaks because of version mismatches.
- Support Agent Actions: Confirm the merchant references
"clientVersion": "v2"in the /sessions request and uses Microform v2 consistently across all related API calls.
Use Case
Use Case 3: Merchant Currently on Microform v1 or Lower
- Context: A merchant is integrated with Microform v0.4, v0.11, or v1 and asks whether they can remain on that version and stay PCI DSS compliant.
- Expected Outcome: The merchant cannot leverage the SRI value feature on these versions and will lose PCI DSS compliance starting April 1, 2025. These versions reach end of life on October 1, 2025, after which the integration will no longer function.
- Support Agent Actions: Advise the merchant to migrate to Microform v2 before April 1, 2025. Direct them to the Microform v2 documentation and confirm they implement dynamic loading with SRI Validation as part of the migration.
Use Case 4: Merchant Already on Microform v2 Without SRI Validation
- Context: A merchant confirms they are on Microform v2 but has not yet implemented SRI Validation.
- Expected Outcome: The merchant remains functional but will fall out of PCI DSS compliance on April 1, 2025 if SRI Validation is not implemented.
- Support Agent Actions: Walk the merchant through implementing SRI Validation by leveraging the clientLibraryIntegrity hash returned in the /sessions response. Confirm dynamic loading per transaction is in place.
Resolution and Escalation Guidance
- Confirm the merchant's current Microform version using the clientVersion field in the Generate Capture Context request and the type property in the transient token response.
- Verify the merchant is dynamically loading the JavaScript library using clientLibrary and clientLibraryIntegrity values from the /sessions response, and that no values are hardcoded.
- Confirm consistent Microform version usage across asset retrieval and token request API calls.
- Reinforce key dates: SRI Validation must be implemented before April 1, 2025; Microform v1 and lower reach end of life on October 1, 2025.
- Escalate to the appropriate technical integration support team when the merchant reports persistent Microform front-end errors after correctly implementing dynamic loading and SRI Validation.
Additional Resources
- PCI DSS v4.0.1 Standard: https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0_1.pdf
- PCI DSS v4.0 At-A-Glance: https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Supporting%20Document/PCI-DSS-v4-0-At-A-Glance.pdf
- Prioritized Approach for PCI DSS v4.0: https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Supporting%20Document/Prioritized-Approach-For-PCI-DSS-v4-0.pdf
- Microform v2 Documentation: https://developer.cybersource.com/docs/cybs/en-us/digital-accept-flex/developer/all/rest/digital-accept-flex/microform-integ-v2.html
- List of Card Types: https://developer.cybersource.com/docs/cybs/en-us/payments/developer/ctv/rest/payments/payments-intro/payments-intro-cards-types.html
Was this article helpful?