Full Report
An independent PCI assessor tested Reflectiz against the new PCI DSS rules. Here is the verdict: See the full QSA assessment here → When a customer types their card number into your checkout, their browser is running far more than your code. Analytics tags, a tag manager, a support widget, a payment iframe: a modern checkout loads dozens of third-party scripts, and any one of them can be turned
Analysis Summary
# Regulation/Compliance: PCI DSS v4.0 (Focus on Requirements 6.4.3 and 11.3.4)
## Overview
The Payment Card Industry Data Security Standard (PCI DSS) v4.0 is the latest evolution of the global security standard designed to protect payment account data. The newest iteration places a significant emphasis on "Client-Side Security," specifically targeting the prevention of e-skimming and Magecart-style attacks where malicious scripts hijack the user's browser during the checkout process.
## Key Details
- **Issuing Authority:** PCI Security Standards Council (PCI SSC)
- **Effective Date:** PCI DSS v4.0 became active March 2024; however, specific "future-dated" requirements (6.4.3 and 11.3.4) become mandatory in 2025.
- **Jurisdiction:** Global (Any entity that processes, stores, or transmits cardholder data).
- **Status:** Final / In Effect.
## Requirements
### Mandatory Requirements
1. **Requirement 6.4.3:** All payment page scripts that are loaded and executed in the consumer's browser must be managed. This includes maintaining an inventory of scripts, justifying why each script is necessary, and ensuring the integrity of those scripts.
2. **Requirement 11.3.4:** Organizations must implement a change-and-tamper-detection mechanism to monitor HTTP headers and the contents of payment pages as received by the consumer’s browser.
3. **Authorization:** Each script must be explicitly authorized by the entity.
### Recommended Practices
1. **Automated Inventory:** Moving beyond manual spreadsheets to automated discovery of third-party scripts.
2. **Behavioral Analysis:** Monitoring not just what a script *is*, but what it *does* (e.g., data exfiltration attempts).
## Affected Organizations
- **Industries:** E-commerce, Retail, Financial Services, Hospitality, and any business with a web-based payment checkout.
- **Organization Size:** Primarily Merchants and Service Providers (Level 1-4).
- **Geographic Scope:** Worldwide.
## Compliance Timeline
- **March 31, 2024:** PCI DSS v3.2.1 retired; v4.0 became the active standard.
- **March 31, 2025:** Requirements 6.4.3 and 11.3.4 transition from "Best Practice" to **Mandatory** for all assessments.
## Implementation Guidance
### Assessment Phase
- Audit the checkout page to identify every script: analytics, support widgets, heatmaps, and tag managers.
- Determine which scripts are internal and which are third-party/fourth-party.
### Implementation Phase
- Deploy a solution to monitor the "Document Object Model" (DOM) for unauthorized changes.
- Implement Content Security Policy (CSP) headers or Subresource Integrity (SRI) where applicable.
- Establish a formal justification process for every script loaded on a payment page.
### Validation Phase
- Engage a Qualified Security Assessor (QSA) to review script inventory and the efficacy of the monitoring/alerting systems.
## Technical Requirements
- **Script Management:** Ability to block or alert on unauthorized script execution.
- **Integrity Checks:** Mechanisms to detect if a script's code has been altered at the source or during transit.
- **Monitoring:** Periodic or continuous scanning of the client-side environment to detect unauthorized changes to the payment page.
## Penalties & Enforcement
- **Fines:** Monthly penalties from card brands (Visa, Mastercard, etc.) ranging from $5,000 to $100,000 per month for non-compliance.
- **Other Consequences:** Increased transaction fees, loss of ability to process credit cards, and brand reputation damage following a breach.
- **Enforcement:** Enforced by acquiring banks and card brands through annual Reports on Compliance (ROC) or Self-Assessment Questionnaires (SAQ).
## Related Standards
- **NIST SP 800-53:** Controls for system and information integrity.
- **ISO/IEC 27001:** Aligned through Annex A controls regarding software and system integrity.
## Resources
- **Official Documentation:** [https://www.pcisecuritystandards.org/](https://www.pcisecuritystandards.org/)
- **Guidance Documents:** PCI SSC Information Supplement: "Protecting E-Commerce"
- **Tools:** Client-side security platforms (e.g., Reflectiz) for automated script discovery and compliance mapping.
## Practical Recommendations
- **Zero-Trust for Browsers:** Treat third-party scripts as untrusted. Just because a script is from a "known" vendor doesn't mean it hasn't been compromised.
- **Clean Checkout:** Minimize the number of scripts on the payment page. If a marketing tag doesn't *need* to be on the checkout page, remove it.
- **Automated Alerts:** Ensure that your security team receives real-time alerts if a script begins communicating with a new, unauthorized domain.