As the e-commerce landscape continues to expand, so does the urgency of the cyberattacks targeting payment systems. One of the most pressing threats today is e-skimming, a rapidly growing menace where cybercriminals exploit scripts on payment pages to steal sensitive payment card data. To address this immediate concern, the Payment Card Industry Data Security Standard (PCI DSS) introduced Requirements 6.4.3 and 11.6.1 in its latest version (v4.x). These requirements focus on managing and monitoring payment page scripts and security-impacting HTTP headers to prevent e-skimming attacks. To help companies understand these new requirements, they also released a guide called “Guidance for PCI DSS Requirements 6.4.3 and 11.6.1,” Version 1.0, March 2025.
The guide’s purpose was to provide supplemental information and guidance to merchants and third-party service providers (TPSPs) on meeting PCI DSS Requirements 6.4.3 and 11.6.1, which address the growing threat of e-skimming attacks on e-commerce payment pages. This document does not replace or supersede requirements in any PCI SSC Standard.
At AccessIT Group, we understand the complexities of PCI DSS compliance and the critical importance of securing your e-commerce environment. This post provides a professional overview of these requirements and actionable steps to help merchants, third-party service providers (TPSPs), and stakeholders enhance their payment page security.
The Growing Threat of E-Skimming in E-Commerce
E-skimming, also known as Magecart or formjacking, exploits vulnerabilities in e-commerce systems to steal payment card data. These attacks can occur through supply-chain compromises (e.g., third-party scripts like analytics or chatbots) or direct script injection into merchant environments.
E-skimming attacks typically fall into two categories:
- Silent Skimming: Malicious scripts steal data in the background without disrupting the transaction.
- Double-Entry Skimming: Fake payment forms trick customers into entering their card details twice—once in the attacker’s form and again in the legitimate one.
With the increasing reliance on external scripts for e-commerce functionality, robust script management and monitoring are essential to mitigate these risks.
Understanding PCI DSS Requirements 6.4.3 and 11.6.1
Requirement 6.4.3: Managing Payment Page Scripts
This requirement ensures that all scripts running on payment pages are authorized, monitored, and justified. To comply, businesses must:
- Authorize: Review and approve every script before deployment.
- Integrity-Check: Use mechanisms like hashing or Sub-Resource Integrity (SRI) to confirm scripts remain unaltered.
- Inventory and Justify: Maintain a detailed record of all scripts, including technical or business justifications for their use.
For example, third-party 3DS (3D Secure) scripts are typically exempt due to the trust relationship established during onboarding. However, all other scripts must adhere to this requirement.
Requirement 11.6.1: Tamper-Detection and Monitoring
This requirement focuses on monitoring scripts and HTTP headers for unauthorized changes. Businesses must:
- Deploy Tamper-Detection Mechanisms: Monitor scripts and HTTP headers on payment pages.
- Generate Alerts: Detect and alert on unauthorized changes, such as script modifications or header tampering.
- Conduct Regular Monitoring: Perform monitoring at least weekly or more frequently based on risk analysis.
These measures help prevent attackers from injecting malicious scripts or altering critical security headers like Content Security Policy (CSP), X-Frame Options, or Strict Transport Security (HSTS).
Who Is Responsible?
Responsibility for compliance depends on the payment page setup:
- Merchant-Hosted Payment Forms: The merchant is responsible for all scripts and headers.
- Embedded Payment Forms (Iframes): The merchant manages scripts on the parent webpage, while the TPSP handles iframe scripts.
- Redirected Payment Pages: The TPSP is responsible for compliance and has limited merchant responsibility.
- Fully Outsourced Websites: TPSPs manage all aspects of script and header security.
Steps to Achieve Compliance
1. Managing and Securing Scripts (Requirement 6.4.3)
- Authorize Scripts: Implement a formal approval process for all scripts.
- Verify Integrity: Use tools like:
- Content Security Policy (CSP): Restrict where scripts can load from.
- Sub-Resource Integrity (SRI): Ensure scripts remain unaltered by comparing cryptographic hash values.
- Maintain a Script Inventory: Document every script, its purpose, and justification.
2.Monitoring and Detecting Tampering (Requirement 11.6.1)
- Deploy Monitoring Mechanisms: Use webpage monitoring solutions or proxy-based systems to detect unauthorized changes.
- Generate Alerts: Ensure alerts are triggered for suspicious changes to scripts or HTTP headers.
- Incident Response Plan: Integrate alerts into your incident response process to address breaches promptly.
Best Practices to Minimize Risk
The PCI Security Standards Council (PCI SSC) recommends additional measures to reduce e-skimming risks:
- Minimize Scripts: Only include essential scripts on payment pages.
- Isolate Scripts in Sandboxed Iframes: Prevent scripts from accessing sensitive data.
- Restrict Script Sources: Use CSP to limit domains from which scripts can load.
- Monitor Behavior: Regularly analyze script behavior for anomalies.
- Conduct Regular Assessments: Perform penetration tests and vulnerability scans to identify security gaps.
Partnering with Third-Party Service Providers (TPSPs)
TPSPs can play a critical role in helping merchants meet these requirements by:
- Hosting secure payment pages.
- Providing Software Development Kits (SDKs) with built-in protections.
- Offering real-time monitoring services to detect e-skimming attempts.
Merchants should review their TPSP’s Attestation of Compliance (AOC) to ensure alignment with PCI DSS requirements.
Why Compliance Matters
Non-compliance with PCI DSS Requirements 6.4.3 and 11.6.1 can result in severe consequences, including financial penalties, reputational damage, and loss of customer trust. By implementing these requirements, businesses can protect sensitive customer data, prevent costly breaches, and maintain compliance with industry standards. The risk is real, and the consequences are significant.
Take the Next Step with AccessIT Group
Securing your e-commerce environment is critical to protecting your customers and your business. At AccessIT Group, we specialize in helping organizations navigate the complexities of PCI DSS compliance and implement robust security measures to safeguard payment systems.
Contact AccessIT Group today to learn how we can help you meet PCI DSS Requirements 6.4.3 and 11.6.1, protect against e-skimming attacks, and ensure your e-commerce platform remains secure and compliant. Let us partner with you to build a safer digital future. Don’t wait until it’s too late. Take the next step towards securing your e-commerce environment with AccessIT Group.
The full guide, which provides comprehensive information and practical tips on meeting PCI DSS Requirements 6.4.3 and 11.6.1, can be found here. It is a valuable resource for anyone involved in e-commerce security, from merchants to third-party service providers, and can help you understand and implement these crucial requirements.
By: Chad Barr – Director of Governance, Risk & Compliance – CISSP | CCSP | CISA | CDPSE | QSA