Payment Card Industry Data Security Standards (PCI DSS) v4.0 represents a substantial shift in payment security, introducing 51 new requirements that become mandatory by April 2025. This evolution in standards reflects the increasingly sophisticated threats facing e-commerce platforms and the need for more robust security measures.

Two critical requirements introduced in PCI DSS 4.0 are 6.4.3 and 11.6.1, which address the growing threat of web skimming (eSkimming) or Magecart attacks. These attacks involve malicious code injected into a website to steal customer credit card information.

These requirements are effective as of 31 March 2025. 

PCI Requirement 6.4.3: Web Client-Side Controls

This requirement focuses on managing and securing scripts running on your payment pages, that are executed in consumers’ browsers. Every script offers savvy cybercriminals an opportunity to gain unauthorised access to your organisation’s environment. Organisations must implement firm controls to protect all components involved in payment transactions. Requirement 6.4.3 mandates three critical controls to bolster the security of the scripts necessary to facilitate payments:

  1. Script Inventory: To ensure complete visibility of your scripts, maintain a comprehensive list of all scripts running on your payment pages.
  2. Script Authorisation: Ensure that all scripts running on your payment pages are authorised and necessary for the payment process.
  3. Script Integrity: Implement measures to protect scripts from tampering and unauthorised modifications.

Adhering to these controls can significantly reduce the risk of cybercriminals adding malicious scripts to your payment pages.

 

PCI Requirement 11.6.1: Detection of Changes to Web Applications

This requirement involves monitoring your organisation’s payment pages for unauthorised changes. This includes monitoring for the following indicators of compromise:

  1. Unauthorised changes
  2. Unauthorised additions
  3. Unauthorised deletions
  4. The Upcoming Guidance Initiative

Critical to meeting this requirement is:

  1. Establishing procedures to detect code alterations on your payment pages
  2. Generating alerts that immediately inform your organisation’s cybersecurity team of any code changes.

By implementing effective change detection mechanisms, you can identify potential attacks early on and take appropriate actions to mitigate the risks.

Further to the above, Requirement 12.3.1 mandates a detailed risk analysis to support Requirement 11.6.1.

 

Why These Requirements Matter

Web skimming attacks have become more widespread and sophisticated. Complying with requirements 6.4.3 and 11.6.1 demonstrates a solid commitment to protecting your customers’ sensitive payment information. As the public becomes more aware of cybersecurity risks associated with e-commerce, a commitment to PCI compliance will ensure your brand reputation.

The stakes are high, as these controls are fundamental to addressing recent e-commerce breaches and securing online payment environments.

Preparing for Compliance

To help support merchants in adhering to the new requirements, the PCI council will provide a detailed guidance document. Expected in early 2025, this document will include:

  1. Clear, actionable implementation strategies.
  2. Specific guidance for third-party service providers supporting their customers.
  3. Practical, real-world approaches to compliance.

While awaiting the detailed guidance, organisations should:

  1. Begin familiarizing themselves with requirements 6.4.3 and 11.6.1.
  2. Assess current security measures against the new requirements.
  3. Start planning for necessary technological and procedural updates.
  4. Engage with qualified security assessors to understand specific implications.
  5. Review and update third-party service provider relationships.

 

Do PCI Requirements 6.4.3 and 11.6.1 apply to my organisation? 

On January 30, 2025, the PCI Security Standards Council announced changes to PCI Compliance requirements for SAQ-A merchants. Under the changes, SAQ-A Merchants no longer need to explicitly demonstrate compliance with requirements. However, SAQ-A merchants will still need to implement robust protections against eSkimming. 

Regardless of whether the mandate applies to your organisation, we strongly believe that payment page monitoring is important. As a Payments Forensic Investigator (PFI), we have seen multiple data breaches where customer information has been captured from the payment page due to malicious JavaScript loaded onto those pages. As such, we have always advised our clients to put payment page monitoring measures in place.

Merchants that fall under any other SAQ type are required to comply with the requirements. 

 

Looking Ahead

These changes represent part of a broader evolution in payment security standards. The new requirements reflect the Payment Card Industry’s commitment to staying ahead of emerging and evolving threats, while ensuring organisations of all sizes can implement measures to protect their data and customers.

The upcoming guidance from PCI SSC represents a crucial step in helping organisations navigate the complex landscape of e-commerce security requirements. Ahead of (and beyond) the 31 March 2025 compliance date, the scope and complexity of these requirements make early preparation essential. 

 

Safeguard your organisation with Stratica

Stratica can secure your payment pages against requirements 6.4.3 and 11.6.1. 

Our suite of automated tools that streamline PCI compliance against new and evolving requirements. We are happy to share the available software tools and how they will help to protect your organisation in a complementary security review.

 

Contact us to learn about our comprehensive suite of PCI compliance solutions and get tailored, actionable advice on implementing them in your organisation. 

Book a Security Review