February 26, 2025

MIN Read

Whether You’re SAQ A or Not, You Can't Afford to Delay PCI DSS 6.4.3 and 11.6.1 Compliance

DataStealth

As the clock ticks down to March 31st, many organizations are in for a rude awakening: PCI DSS v4.0 requirements 6.4.3 and 11.6.1 are about to shift from best practices to mandatory rules, and the impacts are far-reaching.

‍

These requirements aren’t just compliance checkboxes your IT team can tick away. They’re serious changes that will touch every corner of your organization, from the marketing team to your relationships with third-party vendors.

‍

Let’s cut to the chase: you can’t afford to drag your feet on 6.4.3 and 11.6.1 any longer.

‍

To comply and secure your payment flows, you’re in for a complex, multi-faceted project that demands attention from stakeholders across the entire business.

‍

We’re talking about overhauling your script management processes, integrating robust tamper detection systems, and changing how you approach security on your payment pages.

‍

This isn’t something you can slap together in a few weeks. The PCI SSC’s 2-year grace period was a necessary runway meant to give organizations time to implement the required controls.

‍

If you haven’t started yet, you’re already behind. Is it panic time? Maybe. But even now, in the 11th hour, you can get your compliance efforts on track.

Who Needs to Comply With 6.4.3 and 11.6.1?

Before the PCI SSC’s recent January 2025 update, any organization that collected, processed, or managed payment card information online had to comply with requirements 6.4.3 and 11.6.1.

‍

However, as of January 2025, merchants completing SAQ As could check 6.4.3 and 11.6.1 as “not applicable” if the “merchant has confirmed that their site is not susceptible to attacks from scripts that could affect the merchant’s e-commerce system(s).” To provide this guarantee, you will need to implement controls, like script and header monitoring.

‍

Organizations completing SAQ A-EPs or SAQ Ds are not exempt from the March 31st deadline associated with requirements 6.4.3 and 11.6.1, even if their next audit is after the March 31st deadline.

‍

If, for example, a data breach occurs after the enforcement date, the impacted organization will be assessed according to the full PCI DSS v4.0 standard. If 6.4.3 and 11.6.1 apply to them, they will be accountable, regardless of when their last audit occurred.

‍

‍

Neglecting Compliance is Not an Option

The financial penalties for non-compliance with PCI DSS requirements 6.4.3 and 11.6.1 are steep and unavoidable. Monthly fines start at $5,000 to $10,000 per month for the first 3 months and can escalate to $50,000 to $100,000 per month after 7 months.

‍

Beyond these fines, non-compliant businesses may also face additional scrutiny by being placed on the Designated Entities Supplemental Validation (DESV) list. This would subject organizations to additional audits, which adds to the compliance burden.

‍

In short, failing to comply isn't just costly—it creates ongoing challenges that can disrupt your business operations.

‍

These requirements tackle client-side attacks like e-skimming, where malicious scripts silently steal customer payment data directly from your payment pages. These cyberattacks often go undetected for weeks or even months, leaving businesses unaware until it's too late.

‍

For example, British Airways suffered a Magecart attack that exposed the card details of 380,000 customers in just 15 days, resulting in a staggering $230 million fine—not to mention the severe reputational damage.

‍

The numbers speak for themselves: according to MasterCard, nearly 75% of known data breaches in 2022 were due to e-skimming, with cybercriminals breaching 4,500 websites—a 129% increase over the previous year.

‍

Attackers exploit vulnerabilities in third-party scripts or poorly secured supply chains to inject malicious code into payment pages. These scripts can siphon off sensitive customer data without detection for extended periods.

‍

Worse yet, you could be held accountable for vulnerabilities introduced by a third-party vendor if their script wasn’t properly vetted before being added to your payment page.

‍

Both 6.4.3 and 11.6.1 aim to prevent these scenarios by mandating script management and tamper detection mechanisms.

‍

Requirement 6.4.3 ensures that all scripts running on payment pages are inventoried, authorized, and justified with clear business or technical reasons for their presence.

‍

Meanwhile, 11.6.1 requires organizations to implement tamper-detection mechanisms that alert personnel to any unauthorized modifications of HTTP headers or script content at least weekly.

‍

These measures are critical because traditional security tools often fail to detect sophisticated attacks like e-skimming or supply chain compromises.

‍

Ultimately, whether you’re considering compliance penalties or the devastating costs of a data breach—including legal fees, customer compensation, forensic investigations, and reputational harm—non-compliance isn’t an option.

Never Too Late, but Time’s Very Short

With a little more than a month left until the March 31st enforcement deadline, time is running short. This may be panic time for some organizations, but there’s still a runway to get this done right.

‍

These requirements are not just technical mandates—they demand operational alignment and collaboration between departments like IT, marketing, compliance, and even third-party vendors. The scope of work is extensive and requires careful planning and execution.

Understanding Requirements 6.4.3 and 11.6.1

The PCI SSC introduced requirements 6.4.3 and 11.6.1 to mitigate e-skimming attacks (like Magecart) on online payment pages.

‍

Requirement 6.4.3 requires organizations to create and manage an inventory of all the scripts running on the payment pages, with written technical or business justifications of why those scripts are there. Requirement 11.6.1 requires a monitoring and detection mechanism of both the scripts and HTTP headers to find unauthorized script changes and alert personnel.

Addressing Requirements 6.4.3 and 11.6.1

These two requirements are not quick and simple boxes to check off; rather, they demand an organization to add major process changes and technical solutions.

‍

On the process front, for example, the organization must bring its marketing, sales, and other teams to the table to identify and justify each script, like Google Tag Manager, TikTok pixels, or others. Likewise, third-party scripts need to be evaluated to ensure that the vendors providing them are secure and to understand how they work to identify other risks, like 4th-party scripts.

‍

Organizations also need to adjust or add change management processes for their websites. So, for example, every script update - like a new version from the vendor - must undergo an integrity check and reauthorization. To prevent operational disruption, like downtime, you need a process to ensure that the operational teams monitoring for tampering are aware of valid changes.

‍

On the technical side, many organizations might start by implementing measures like Content Security Policies (CSP) and Subresource Integrity (SRI) tags. While these offer a good starting point, CSPs and SRI tags have their limits.

‍

For example, CSPs use predefined rules to restrict the execution of unauthorized scripts, but they don’t work well in dynamic environments where scripts frequently change. As a result, an organization may maintain overly flexible or lax policies, which creates vulnerabilities.

‍

Likewise, SRI tags ensure script integrity by validating hash values, but this only works for static scripts. In cases where scripts are dynamically generated or updated, SRI becomes impractical as new hashes must be generated and deployed in real-time, increasing operational complexity.

‍

Overall, the point is that 6.4.3 and 11.6.1 don’t involve simple tweaks or changes. Organizations need to think through and plan quite a few things, from processes to tools, before implementing changes. Otherwise, they’ll end up in situations where they’re overwhelming their IT teams or, potentially, creating disjointed processes that result in other vulnerabilities and gaps.

‍

For larger organizations, these processes alone can take time to develop and implement, which is why the PCI SSC originally kept 6.4.3 and 11.6.1 as best practices for two years. But with just weeks left until the enforcement deadline, applying these measures from scratch is unrealistic.

‍

Fortunately, there are solutions on the market that target and address these practical problems and, in turn, equip you to meet requirements 6.4.3 and 11.6.1 relatively rapidly.

‍

DataStealth’s Tamper Detection and Protection (TDP) automates script inventory management, real-time monitoring and alerting when the tampering of scripts and security-impacting HTTP headers is detected, directly addressing both requirements 6.4.3 and 11.6.1. It doesn’t require changes to your existing codebase, nor does it add to your team’s burden.

‍

For example, returning to the SRI tag example. Whereas SRI tags aren’t practical in dynamic settings, DataStealth’s TDP dynamically catalogs and validates all scripts, whether first-party, third-party, or dynamically loaded – each time a user accesses a payment page. This ensures that only authorized scripts are executed and that unauthorized/tampered content is blocked.

‍

Where SRI tags lack real-time monitoring, DataStealth TDP continuously inspects payment page content in line with network traffic. It validates every script and header in real-time and identifies unauthorized changes or malicious injections instantly.

‍

DataStealth also provides real-time alerts with enforcement. This is a proactive approach that actively prevents malicious scripts from reaching the consumer’s browser, rather than detecting a threat and relying on the consumer’s browser to block its execution.

It maintains the integrity of the payment page and, in turn, reduces the risk of tampering or unauthorized changes. This approach ensures that you fully meet requirement 11.6.1 without the risk of compliance gaps or security vulnerabilities.

‍

Some alternative solutions on the market, like script-based controls, also offer real-time threat monitoring and blocking. However, by relying on the consumer’s browser to execute the security policy, these solutions often have certain limitations.

‍

For example, script-based solutions are often designed to support popular and widely adopted browsers but not niche or out-of-date ones. While these latter ones only constitute a minority of active browsers, some consumers still use them and, as a result, aren’t properly covered.

‍

Likewise, ad blockers can also interfere with these script-based sensors and prevent them from loading. Users may also block scripts from running at all by adjusting their browser settings. This highlights that with script-based solutions, a merchant’s compliance depends upon variables they have no authority over.

‍

Since your compliance and security posture is only as strong as the weakest link, you might be at risk of an exploit from these more vulnerable vectors.

‍

In comparison, DataStealth isn’t a script-based solution and, in turn, can support every browser and user visiting your website and payment page(s).

‍

Next Steps

The right solution, like DataStealth’s TDP, both directly addresses requirements 6.4.3 and 11.6.1 while also fully securing your payment pages from the actual threat. It’s designed to overcome a lot of the practical difficulties of meeting requirements 6.4.3 and 11.6.1 in a short time. And, with time running out, you need to give DataStealth’s TDP a serious look!

‍

Reach out to our team to see DataStealth’s TDP in action and get a roadmap of how it can help you quickly reach requirements 6.4.3 and 11.6.1.