Plain-English explainers on PCI DSS v4.0, SAQ A-EP, Magecart, and client-side script monitoring. Written for the person running the store.
A technical walkthrough of CVE-2024-34102, the glibc iconv chain that turned file-read into RCE, and the operational reality that left thousands of merchants exploited months after the patch shipped. For the security-aware reader who wants the full mechanism, not the press release.
Stripe Elements puts the card form in an iframe — but PCI 6.4.3 still applies to the page around it. The exact split of responsibility, the controls Stripe covers vs the controls that are on you, and the fastest path to satisfying both.
Why the January 2025 SAQ A amendment requires a Responsibility Matrix from your payment processor, what one actually contains, and exactly what to ask if your processor hasn't provided one.
A real, working CSP for a Stripe Elements checkout on WooCommerce — annotated directive by directive. Plus the four mistakes that turn CSP from a defense into security theater.
What SRI does, how to compute the hash, where to put it in your HTML, and the four scenarios where SRI doesn't work and you need a different control. Practical, with copy-pasteable commands.
What 11.6.1 actually requires, how it differs from 6.4.3, and the practical setup most SMB merchants need to satisfy it. Weekly automated scans, what to alert on, and what auditors expect to see.
What Magecart actually is, how the attack chain works, and why the most expensive card-skimmer breaches in the last decade went undetected for months. With three real-world incidents you can use to explain the threat to a non-technical owner.
The difference between SAQ A and SAQ A-EP, the January 2025 amendment that caught a lot of merchants off guard, and exactly when a Shopify or Stripe Elements merchant lands in the longer questionnaire.
What PCI 6.4.3 actually requires, what changed in v4.0, and exactly what a small WooCommerce merchant has to do to comply. Without compliance jargon.