Adobe Commerce 2.4.7: PCI DSS 4.0 Features

Released 9 April 2024, Adobe Commerce 2.4.7 is a compliance-forward release that prepares merchants for PCI DSS 4.0 while tightening platform security. It's not a headline features drop; it's a strengthening release that reduces risk before the mid-year security cycle.

Security and compliance: 2.4.7 introduced stricter Content Security Policies and safer defaults around script execution, improving protection against XSS and supply-chain injection. GraphQL parser improvements and validation hardening reduced the attack surface for headless builds. Combined with dependency refreshes, the platform shipped with a cleaner baseline for security reviews.

Payments and checkout: PCI DSS 4.0 raises expectations around authentication, session handling and evidence. This release helped teams align: we encouraged merchants to verify SameSite and Secure cookie attributes, confirm token storage practices, and review 3DS/SCA flows with payment providers. For B2B flows, session lifetime and idle timeouts were checked against policy.

Why it matters: treating 2.4.7 as a compliance milestone helps consolidate changes you would need to make anyway. Align CSP, rotate secrets, and document controls now so future audits and incident response run faster. For composable teams, ensuring GraphQL traffic adheres to new parsing and validation behaviour avoids surprises later.

Upgrade checklist:

• Rebuild CSP allowlists; enable report-only first, monitor, then enforce.
• Validate payment/checkout extensions against PCI DSS 4.0; confirm cookie flags and session policies.
• Load test GraphQL and storefront integrations under realistic concurrency; verify cache behaviour.
• Refresh lower environments to mirror production versions and config; eliminate drift.
• Update runbooks and evidence collection for audits (screenshots, logs, config exports).

2.4.7 sets a safer, more auditable baseline. Step into the June cycle with fewer unknowns and clearer documentation.