In this blog, we unpack the changes in SAQ A’s eligibility criteria to identify which organizations the PCI SSC has exempted from requirements 6.4.3 & 11.6.1

The PCI Security Standards Council (PCI SSC) has introduced an exemption for SAQ A merchants, allowing them to bypass PCI DSS requirements 6.4.3 and 11.6.1 if they confirm their site is not vulnerable to script-based attacks. This change reduces the compliance burden for eligible e-commerce businesses relying on third-party service providers (TPSPs) for payment processing.

This blog explores what QSAs expect for PCI DSS v4.0 compliance with requirements 6.4.3 and 11.6.1. It covers key practices, such as maintaining a detailed script inventory, ensuring script integrity, setting up tamper detection mechanisms, and establishing robust monitoring and incident response processes. Following these practices can avoid common pitfalls, streamline compliance efforts, and protect your payment pages from e-skimming.

Cybersecurity threats in 2025, including ransomware, phishing, e-skimming, and supply chain attacks, demand robust defenses. PCI DSS v4.0's mandatory requirements 6.4.3 and 11.6.1 enforce script auditing and monitoring to secure payment systems. Solutions like DataStealth ensure compliance and safeguard against these evolving risks.

E-skimming attacks surge during the holiday season, targeting payment pages to steal customer data. These silent breaches can cost businesses millions in downtime, reputational damage, and non-compliance fines. Secure your payment pages and ensure PCI DSS v4.0 compliance with TDP solutions like DataStealth, offering real-time protection and blocking unauthorized scripts.

April 1, 2025, marks the enforcement of critical PCI DSS v4.0 requirements 6.4.3 and 11.6.1—no fooling! These rules apply to all merchants, requiring robust script management and tamper detection for payment pages. In a recent webinar, Chuck Brooks (Brooks Consulting), Thomas Borrel, and James Fuentes (DataStealth) broke down the challenges and shared actionable steps to comply.

With the March 31, 2025, PCI DSS v4.0 compliance deadline approaching, businesses face challenges meeting requirements 6.4.3 and 11.6.1 for monitoring and securing payment page scripts. DataStealth’s no-code, fully managed solution offers real-time protection, proactive monitoring, and automatic compliance assurance, eliminating the vulnerabilities of traditional script-based methods. Backed by patented technology, DataStealth ensures seamless, browser-independent security and compliance.

Script-based solutions often fall short in meeting PCI DSS 6.4.3 and 11.6.1, especially in preventing tampering with payment pages. These methods have limitations such as dependency on execution order, browser compatibility issues, and inability to block malicious scripts. DataStealth offers a more effective alternative by providing proactive tamper detection without relying on scripts or browsers, ensuring full compatibility and real-time protection. This solution simplifies compliance, reduces IT burden, and better safeguards payment data, offering a more reliable approach to meeting PCI DSS requirements.

PCI DSS v4.0 (6.4.3 and 11.6.1) mandates enhanced payment page security, and DataStealth’s Tamper Protection solution meets these by dynamically validating scripts and blocking unauthorized changes in real time—all without code changes, ensuring seamless compliance and protection.

A deeper dive on our Data Security Platform, a suite of solutions bridged by common functionalities to discover, classify, and protect sensitive data.

Customization, and multi-factor authentication are key features in PCI DSS v4.0 global payment benchmark.

Can you say for certain you know where all PANs are being stored? Sometimes the hardest part about securing PANs wherever they're stored is actually knowing where they're stored