1. Docs
  2. PCI DSS Library
  3. 11.6.1 - Page Integrity

11.6.1 - Page Integrity

Safeguarding Against Sophisticated Web Skimming

Web skimming attacks have evolved beyond merely capturing credit card data from payment fields. Modern attackers now employ more advanced tactics, such as fake form attacks, where a fraudulent payment form is presented to the user to steal their credit card information before the legitimate form even appears.

To combat these sophisticated threats, it’s crucial to ensure the integrity of your entire payment page. Under PCI DSS 4.0.1, the Page Integrity (11.6.1) requirement requires a holistic approach, involving monitoring all resources loaded on the page, the legitimacy of displayed forms, and the verification of HYYP headers sent by the server. A robust system should continuously monitor these elements and provide prompt alerts to site owners. This way, they can swiftly detect and address unauthorized changes, ensuring that potential threats are identified and mitigated before they can skim customer card data from the payment page.

Expert Insight
Implementing the controls outlined in PCI DSS 4.0 requirements 6.4.3 and 11.6.1 is not just about compliance—it’s a strategic move to bolster the security of your payment pages. By understanding and applying these four key controls, you can significantly mitigate the risk of client-side attacks and safeguard sensitive customer data. As you integrate these requirements into your security framework, consider how they align with your broader security and privacy goals and contribute to continuous improvement in your security posture.