The Enforcement Deadline for PCI DSS 6.4.3 & 11.6.1 Has Passed. Here’s What’s Next.

DataStealth

As of today (March 31st, 2025), PCI DSS requirements 6.4.3 and 11.6.1 have officially transitioned from best practices to mandatory obligations.

Moving forward, e-commerce merchants must comply with these requirements to maintain PCI DSS v4.0 compliance. Even organizations whose next audit is scheduled for after March 31st must comply with requirements 6.4.3 and 11.6.1 as payment providers/processors expect those controls to be in place.

To quickly recap the new rules:

Requirement 6.4.3 mandates that merchants establish strict controls for all scripts running on payment pages as follows:
- A method is implemented to confirm that each script is authorized.
- A method is implemented to assure the integrity of each script.
- An inventory of all scripts is maintained with written business or technical justification as to why each is necessary.
Requirement 11.6.1 requires deploying a change- and tamper-detection mechanism as follows:
- To alert personnel to unauthorized modification (including indicators of compromise, changes, additions, and deletions) to the security-impacting HTTP headers and the script contents of payment pages as received by the consumer browser.
- The mechanism is configured to evaluate the received HTTP headers and payment pages.
- The mechanism functions are performed as follows:
  - At least weekly
    OR
  - Periodically (at the frequency defined in the entity’s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1).

For more details, we recommend reading our earlier guide on requirements 6.4.3 and 11.6.1

‍

Who Needs to Comply?

‍

Merchants completing SAQ D or SAQ A-EP must comply with requirements 6.4.3 and 11.6.1.

For SAQ A merchants – i.e., those who outsource payment processing through iframes or hosted payment forms – PCI SSC recently clarified that they may exempt themselves from these requirements only if:

All elements of the payment page(s)/form(s) delivered to the customer’s browser originate only and directly from a PCI DSS-compliant TPSP/payment processor.
The merchant has confirmed that their site is not susceptible to attacks from scripts that could affect the merchant’s e-commerce system(s).

In FAQ 1588, the PCI Council clarified that merchants can demonstrate this by implementing security controls such as those defined under requirements 6.4.3 and 11.6.1.

In effect, every merchant must be compliant by this point. Waiting until your next audit cycle does not exempt you from these requirements; in the event of a breach, you will be judged against these standards immediately. Therefore, you must prioritize compliance now.

‍

What Happens if You’re Not Compliant

‍

By neglecting requirements 6.4.3 and 11.6.1, you’re essentially leaving a vulnerability for bad actors to exploit. In other words, you’re at acute risk of a successful attack and breach.

Just several weeks ago, an attacker breached over 100 car dealership websites by injecting malicious code (ClickFix) through a trusted third-party service. Moreover, AI has empowered low-skilled attackers to conduct sophisticated attacks, increasing the quantity, efficiency, and success of script-based attacks.

The risk environment is escalating to new heights, and implementing the bare minimum is not enough to protect your environment. However, by remaining non-compliant with requirements 6.4.3 and 11.6.1, you’re failing to apply the bare minimum, which makes you a preferred target for bad actors and, potentially, their next victim.

So, in the event of a breach (which greatly increases in probability due to a lack of sufficient payment page protection), your organization will face:

Substantial fines due to non-compliance with PCI DSS requirements 6.4.3 and 11.6.1, which can range from $5,000 to $100,000 per month until you reach compliance.
Increased transaction fees or loss of payment processing that will eat into your business’s revenue or, potentially, disrupt your ability to handle sales.
Costly and time-consuming forensic investigations to look into why the breach took place and expose the lack of required controls. Your acquiring bank may even place your organization on the Designated Entities Supplemental Validation (DESV) list, subjecting you to more rigorous auditing and stringent compliance requirements.

‍

It’s Not Too Late if You Actively Work On It!

‍

Fortunately, it’s not too late to achieve compliance, but you must act fast. The window to do so is closing as bad actors grow in number and evolve in capability (especially thanks to AI-based tools that lower the technical barriers to mount such attacks).

The right approach is to be security-first by implementing the measures that meet and exceed requirements 6.4.3 and 11.6.1. Doing so will not only shield you from non-compliance problems, but also protect your environment against the actual, real-world risk environment.

For example, does your solution protect only a fraction of transactions, or does it cover every consumer by supporting every browser? What measures do you have in place to remove any dependency on the consumer’s device or browser to ensure they are all protected?

By removing the need to run any monitoring scripts on the customer’s device, DataStealth’s eSkimming Protection solution eliminates all dependency on the client’s browser. It provides full defence against e-skimming attacks, regardless of the tools and plugins used by the consumer, including ad blockers, which can stop sensors from working effectively.

Next, is your solution itself secure from tampering? How do you prevent cyber attackers from injecting malicious scripts before your protective measures activate?

Many traditional script-based solutions rely on JavaScript sensors embedded directly on payment pages. However, these sensor scripts must execute first to inventory and validate subsequent scripts effectively. Sophisticated attackers can exploit this dependency by simply injecting malicious scripts earlier in the page load sequence, bypassing detection entirely.

Finally, it is crucial to note that all scripts – including those designed to protect payment pages - must themselves comply with requirements 6.4.3 and 11.6.1. Hence, these scripts must also be fully inventoried, authorized, and tamper-protected.

‍

Why DataStealth eSkimming Protection?

‍

DataStealth’s eSkimming Protection solution directly addresses each of the aforementioned gaps and issues. It is uniquely positioned to confront this challenge as it’s positioned between your website and the consumer’s browser to analyze and protect 100% of your consumers’ transactions. eSkimming Protection is uniquely positioned to deliver:

Real-time cataloging of all scripts (inline, first-party, third-party),
Automated validation against approved inventory,
Real-time integrity checks with proactive blocking of unauthorized scripts, before they reach the consumer’s browser,
Continuous real-time monitoring with immediate alerts for unauthorized changes,
Full compatibility across all browsers/platforms (including Opera & Samsung Internet).

Moreover, unlike traditional solutions relying solely on CSPs (Content Security Policies) and SRIs (Subresource Integrity tags), which require substantial manual oversight and fail to fully address dynamic or frequently updated scripts, DataStealth automates compliance tasks and actively blocks threats in real-time.

Not only does DataStealth’s eSkimming Protection solution deliver out-of-the-box compliance for requirements 6.4.3 and 11.6.1, but it also equips organizations with proactive defences against evolving client-side threats.

If you’re not already compliant, then take control now. Leveraging eSkimming Protection and secure every user, achieve faster compliance without any coding or installations, and remain ahead of evolving threats with innovative technologies.

Schedule a call today, and we’ll walk you through a compliance and payment page security plan tailored to your requirements and unique environment.

‍