Key Takeaways
- PCI DSS 4.0 is the dominant card-data standard. Effective from March 2024 with phased enforcement through 2025; some requirements (notably 6.4.3 and 11.6.1 around client-side script integrity) target e-commerce specifically.
- Scope reduction is the first lever. Tokenisation, hosted payment pages and iframes drastically reduce the cardholder data environment.
- Magecart and digital skimming remain the dominant card-not-present attack pattern. Client-side script integrity monitoring is now table stakes.
- API and partner integration risk grows as marketplaces, multi-merchant platforms and headless commerce architectures spread.
- DPDP Act 2023 applies to customer personal data alongside PCI DSS for cardholder data. Two parallel obligations.
The Indian E-commerce Threat Picture
Indian e-commerce is targeted by a stratified set of attackers. At the top: organised commercial fraud operators running automated card testing, account takeover and reseller fraud against major platforms. In the middle: targeted Magecart-style skimming groups installing malicious scripts on checkout pages to steal card data at the moment of entry. At the bottom: opportunistic scammers using credential stuffing, phishing of customer service teams, and abandoned-cart abuse.
Defensive priorities shift by business size. Tier 1 platforms (large marketplaces, leading verticals) need mature fraud analytics, dedicated security teams, and ongoing pentest. Tier 2 (mid-size D2C brands, regional players) need PCI DSS-aligned baseline controls and quarterly security review. Tier 3 (small online retailers, single-brand stores) typically use a hosted payment provider that reduces scope dramatically and need to focus on store-platform security (Shopify, WooCommerce, Magento, custom).
PCI DSS 4.0 Scope for E-commerce
PCI DSS applies to every entity that stores, processes or transmits cardholder data, plus connected systems. For e-commerce, scope is determined by how the payment is implemented. Direct post (the merchant page collects the card data and POSTs to the processor) pulls the entire web stack into scope. iFrame (the payment fields are rendered by the processor in an iframe inside the merchant page) significantly reduces scope. Redirect (the merchant page links to the processor's hosted page) reduces scope further, though client-side script integrity requirements (6.4.3, 11.6.1) still apply.
Scope reduction is the highest-ROI early decision. A merchant moving from direct post to iframe or hosted-page typically reduces SAQ effort by an order of magnitude and reduces PCI-driven control footprint accordingly. The customer experience trade-off is usually small; the security and compliance benefit is large. Codesecure helps customers redesign payment flows for scope reduction as part of PCI engagements.
Need a Sector-Specific Cyber Programme?
Codesecure delivers ISO/IEC 27001:2022 certified VAPT, compliance and managed security for healthcare, fintech, manufacturing, e-commerce, education, legal and insurance customers across India. Named consultants, fixed-price proposals, free retest within 90 days.
See Industry Services →Magecart and Client-Side Script Integrity
Magecart is the umbrella term for digital skimming attacks that inject malicious JavaScript into checkout pages to capture card data as it is entered. The attack vectors include compromised third-party scripts (analytics, A/B testing, tag managers, chat widgets), compromised admin panels of the e-commerce platform itself, and supply chain attacks on JavaScript dependencies.
PCI DSS 4.0 requirements 6.4.3 and 11.6.1 explicitly address this: maintain an inventory of all client-side scripts loaded on payment pages, justify each script's presence, and monitor for unauthorised changes. Practical implementations include Content Security Policy with strict source allowlists plus inline-script-hash pinning, Subresource Integrity (SRI) on every external script, and continuous monitoring tools (Jscrambler, Source Defense, Imperva, c/side, Akamai Page Integrity Manager) that alert on script changes.
Even merchants using hosted payment pages are subject to 6.4.3 and 11.6.1 because the page that contains the redirect or iframe is itself a target. The script integrity programme is required regardless of payment flow architecture.
API Security for Marketplaces and Headless Commerce
Modern Indian e-commerce architectures lean toward headless commerce: a backend commerce engine (commercetools, Shopify Hydrogen, BigCommerce, Magento decoupled, Spree, Saleor, custom) exposes APIs to multiple frontends (web, mobile, kiosk, in-store) and to partner integrations (marketplaces, payment gateways, loyalty, OMS, WMS, ERP, marketing tools).
API security findings cluster around the OWASP API Top 10. The recurring ones: BOLA where order IDs, customer IDs or merchant IDs can be substituted and the backend returns data without authorisation check; broken authentication on partner APIs (long-lived API keys, weak rotation); over-permissive partner scopes (a marketing tool API key with full order-export rights); and mass assignment on profile, address or order update endpoints. Our API security audit blog covers each in detail; an e-commerce security programme must include systematic API testing.
Fraud Detection and Customer Trust
Cyber security and fraud overlap in e-commerce more than in any other sector. Account takeover, credential stuffing, gift card fraud, return abuse, and friendly fraud all combine technical signals with behavioural analytics. Major Indian platforms invest in dedicated fraud teams and tools (Sift, Riskified, Forter, Signifyd, Kount, plus India-specific options).
The security side overlaps when fraud is enabled by a cyber control gap (no MFA on customer accounts, no device fingerprinting, weak password reset flow, exposed admin or back-office panel). Codesecure engagements often surface findings that are technically VAPT issues with direct fraud consequences. We report them with both perspectives so the security and fraud leads can prioritise jointly.
Regulator Pressure or Customer Audit?
Whether you need RBI, IRDAI, DPDP, HIPAA, PCI DSS or NCIIPC evidence, our compliance and VAPT lead is available for a 30-minute free scoping call. Audit-ready, board-ready, no slideware.
Talk to a Specialist →DPDP Act 2023 for Indian E-commerce
DPDP Act 2023 applies in parallel with PCI DSS. PCI DSS governs cardholder data; DPDP governs all personal data of Indian residents. The overlap is customer email, address, phone, demographic data, behavioural data and purchase history. The two frameworks have different obligations: PCI DSS focuses on technical controls for card flow; DPDP requires lawful purpose, consent, data principal rights, retention limits and breach notification across all personal data.
Practical implication: every Indian e-commerce platform needs both. Codesecure delivers integrated PCI DSS plus DPDP compliance for Indian e-commerce, with a unified control library and shared evidence pack that supports your external PCI assessor and satisfies the DPDP Section 8 reasonable security safeguards obligation in one engagement.
Penetration Testing Cadence and Plugin Risk
PCI DSS 4.0 requires penetration testing at least annually and after any significant change. The scope includes the cardholder data environment plus all connected systems. For e-commerce, this typically means external network, internal network, web application (customer-facing, admin), mobile applications, APIs, and the underlying cloud configuration.
Third-party plugin and theme risk deserves special attention for platforms built on Shopify, WooCommerce, Magento, BigCommerce or similar. Plugin authors vary in security maturity, plugins introduce supply-chain risk, and a compromised plugin reaches every site that installed it. Pentest scope should include plugin inventory review (which are installed, which have known vulnerabilities, which have permissions broader than the function suggests), and supply-chain hygiene (plugins pinned to specific versions, updates reviewed before deployment, abandoned plugins removed). Codesecure delivers Indian e-commerce pentest engagements with plugin-aware methodology and PCI DSS-aligned reporting.
Frequently Asked Questions
Do we need to be PCI DSS compliant if we use a payment gateway?
Yes. PCI DSS applies to any entity in the cardholder data flow. Using a hosted gateway or iframe reduces scope significantly and changes the SAQ type, but it does not eliminate the obligation. The merchant remains responsible for the parts of the customer journey before the redirect or iframe loads.
How often do we need pentest?
PCI DSS 4.0 requires annual pentest plus testing after any significant change. For high-traffic Indian e-commerce platforms, semi-annual or continuous testing is more aligned with release cadence. Codesecure offers both annual deep-dive and continuous-VAPT engagement models.
What is PCI DSS 4.0 requirement 6.4.3 and 11.6.1?
6.4.3 requires a documented inventory of every script loaded on payment pages with justification. 11.6.1 requires monitoring for unauthorised changes to those scripts. Together they target Magecart-style digital skimming. Implementation uses CSP, SRI and dedicated script-integrity monitoring tools.
Can we do PCI DSS and DPDP together?
Yes, and we strongly recommend it. Roughly 50 to 60 percent of controls overlap between PCI DSS and DPDP for an e-commerce business. A unified programme saves significant effort versus running them separately. Codesecure delivers integrated engagements.
Are third-party plugins really a serious risk?
Yes. Magento, WooCommerce and Shopify plugin compromises have caused multiple Indian e-commerce breaches in 2024 and 2025. Plugin inventory review and supply-chain hygiene are now baseline expectations, not optional add-ons.
How much does e-commerce VAPT cost in India?
A standard annual e-commerce pentest (web, API, mobile, infrastructure) for a mid-size Indian platform runs INR 5 to 12 lakh depending on scope. PCI DSS-aligned scope adds documentation overhead. Continuous VAPT programmes are priced as a monthly retainer. Codesecure provides fixed-price proposals after a 30-minute scoping call.
Secure Checkout. Defend Card Data. Pass The Audit.
Codesecure delivers PCI DSS preparation, e-commerce VAPT, plugin and supply-chain assessment, and DPDP integration for Indian online retailers. ISO/IEC 27001:2022 certified delivery, named consultants, fixed-price proposals, free retest within 90 days.
