Source: PCI Security Standards Council, “Guidance for PCI DSS Requirements 6.4.3 and 11.6.1,” Version 1.0, March 2025.
Purpose: To provide supplemental information and guidance to merchants and third-party service providers (TPSPs) on meeting PCI DSS Requirements 6.4.3 and 11.6.1, which address the growing threat of e-skimming attacks on e-commerce payment pages. This document does not replace or supersede requirements in any PCI SSC Standard.
As e-commerce continues to grow, so does the threat of cyberattacks targeting payment systems. One of the most alarming risks today is e-skimming, where cybercriminals exploit scripts running on payment pages to steal sensitive payment card data. To combat this, the Payment Card Industry Data Security Standard (PCI DSS) introduced Requirements 6.4.3 and 11.6.1 in its latest version (v4.x). These requirements focus on managing and monitoring payment page scripts and security-impacting HTTP headers to prevent e-skimming attacks.
This blog proactively breaks down the guidance provided by the PCI Security Standards Council (PCI SSC) into a clear, actionable overview to help merchants, third-party service providers (TPSPs), and stakeholders enhance their payment page security.
The Urgent Need to Address the Growing Threat of E-Skimming in E-Commerce
E-skimming attacks, also referred to as Magecart or formjacking attacks, exploit vulnerabilities in e-commerce systems. These attacks, which can have severe consequences, target scripts running on payment pages, either through supply-chain compromises (e.g., third-party scripts like analytics or chatbots) or direct script injection into merchant environments.
E-skimming attacks fall into two main categories:
- Silent Skimming: Malicious scripts steal data in the background without disrupting the transaction.
- Double-Entry Skimming: Fake payment forms trick customers into entering their card details twice—once in the attacker’s form and again in the legitimate one.
With the increasing reliance on external scripts for e-commerce functionality, the need for robust script management and monitoring has never been greater.
Understanding PCI DSS Requirements 6.4.3 and 11.6.1
These two requirements specifically address the risks of compromised scripts and tampered HTTP headers on payment pages. Here’s what they entail:
Requirement 6.4.3: Managing Payment Page Scripts
This requirement focuses on authorizing, monitoring, and justifying the scripts allowed on payment pages. To comply, businesses must:
- Authorize: Every script running on payment pages must be reviewed and approved before use.
- Integrity-Check: Mechanisms like hashing or Sub-Resource Integrity (SRI) must confirm that scripts have not been tampered with.
- Inventory and Justify: Maintain a detailed record of all scripts, including technical or business justifications for their use.
For example, if a merchant uses a third-party 3DS (3D Secure) solution, 3DS-related scripts are exempt from this requirement due to the trust relationship established during onboarding. However, any other scripts outside of the 3DS scope must adhere to Requirement 6.4.3.
Requirement 11.6.1: Tamper-Detection and Monitoring
This requirement ensures scripts and security-impacting HTTP headers are monitored for unauthorized changes. Businesses must:
- Deploy a tamper-detection mechanism to monitor scripts and HTTP headers on payment pages.
- Generate alerts for any unauthorized changes, such as script modifications or header tampering.
- Conduct monitoring at least weekly or more frequently based on a risk analysis.
These mechanisms prevent attackers from injecting malicious scripts or altering security headers like Content Security Policy (CSP), X-Frame Options, or Strict Transport Security (HSTS), which are critical for safeguarding payment pages.
Who Is Responsible?
The responsibility for complying with these requirements depends on the payment page setup. Here’s a summary of the most common scenarios:
- Merchant-Hosted Payment Forms: The merchant is responsible for all scripts and headers on the payment page.
- Embedded Payment Forms (Iframes): The merchant is responsible for scripts on the parent webpage, while the TPSP is responsible for scripts within the iframe.
- Redirected Payment Pages: If consumers are redirected to a TPSP-hosted payment page, the merchant’s responsibility is limited, and the TPSP handles compliance.
- Fully Outsourced Websites: TPSPs manage all aspects of script and header security, while the merchant is not directly responsible.
How to Comply with PCI DSS Requirements 6.4.3 and 11.6.1
Achieving compliance requires implementing processes, tools, and controls to secure payment page scripts and headers. Here’s a step-by-step guide:
1. Managing and Securing Scripts (Requirement 6.4.3)
- Authorize Scripts: Implement a formal approval process to review scripts before deployment.
- Verify Integrity: Use tools like:
- Content Security Policy (CSP): Restrict where scripts can be loaded from.
- Sub-Resource Integrity (SRI): Compare cryptographic hash values to ensure scripts remain unaltered.
- Maintain a Script Inventory: Document every script, its purpose, and justification. Automated tools can help streamline this process for larger setups.
2. Monitoring and Detecting Tampering (Requirement 11.6.1)
- Deploy a Monitoring Mechanism: Use tools such as webpage monitoring solutions or proxy-based systems to detect unauthorized changes in real time.
- Generate Alerts: Ensure the monitoring system triggers alerts for any suspicious changes to scripts or HTTP headers.
- Incident Response Plan: Integrate alerts into your incident response process to address breaches promptly.
Best Practices to Minimize Risk
The PCI SSC provides additional recommendations to help businesses reduce e-skimming risks:
- Minimize Scripts: Only include essential scripts in payment pages.
- Isolate Scripts in Sandboxed Iframes: Prevent scripts from accessing sensitive data by isolating them.
- Restrict Script Sources: Use CSP to limit the domains from which scripts can load.
- Monitor Behavior: Regularly analyze script behavior for anomalies, such as unauthorized access to payment fields.
- Regular Technical Assessments: Conduct penetration tests and vulnerability scans to identify security gaps.
Leveraging Third-Party Service Providers (TPSPs)
TPSPs can assist merchants in meeting these requirements by:
- Hosting secure payment pages on their servers.
- Providing Software Development Kits (SDKs) with built-in protections against tampering.
- Offering real-time monitoring services to detect e-skimming attempts.
Merchants should review their TPSP’s Attestation of Compliance (AOC) to ensure alignment with PCI DSS requirements.
Demonstrating Compliance
To prepare for PCI DSS assessments, businesses must maintain thorough documentation, including:
- Policies and procedures for script management.
- A detailed script inventory with justifications.
- Evidence of monitoring activities, such as logs and reports.
- Incident response plans for handling alerts from tamper-detection systems.
Conclusion
Non-compliance with these requirements can lead to severe consequences, including financial penalties and reputational damage. PCI DSS Requirements 6.4.3 and 11.6.1 provide a robust framework for securing e-commerce payment pages against the ever-growing threat of e-skimming. By managing and monitoring scripts and HTTP headers, merchants and service providers can protect sensitive customer data, prevent costly breaches, and maintain compliance with industry standards.
Implementing these requirements is critical to safeguarding your e-commerce environment, whether you’re a small merchant or a large enterprise. For further guidance, refer to the official PCI DSS documentation and consult with your payment service providers to ensure your systems are secure.
Take action today to protect your customers—and your business—from the risks of e-skimming.
The post Strengthening E-Commerce Security: A Streamlined Guide to PCI DSS Requirements 6.4.3 and 11.6.1 appeared first on .
