- Docs
- PCI DSS Library
- Breakdown of Payment Page Requirements 6.4.3 & 11.6.1
Breakdown of Payment Page Requirements 6.4.3 & 11.6.1
With an understanding of the rationale behind PCI DSS 4.0 requirements 6.4.3 and 11.6.1, let’s now delve into a detailed breakdown. These requirements are divided into four key components, each critical for strengthening the security of your payment pages and effectively countering the sophisticated threats present in today’s digital landscape.
New PCI DSS 4.0 Requirements - 6.4.3 & 11.6.1
| Requirement | Requirement Text |
| 6.4.3 - Scripts Inventory & Management | All payment page scripts that are loaded and executed in the consumer's browser are managed as follows: • A method is implemented to confirm that each script is authorized. • A method is implemented to assure the integrity of each script. • An inventory of all scripts is maintained with written justification as to why each is necessary. This requirement is a best practice until 31 March 2025. |
| 11.6.1 - Page Integrity Monitoring | A change- and tamper-detection mechanism is deployed as follows: - To alert personnel to unauthorized modification (including indicators of compromise, changes, additions, and deletions) to the HTTP headers and the contents of payment pages as received by the consumer browser. - The mechanism is configured to evaluate the received HTTP header and payment page. - The mechanism functions are performed as follows: - At least once every seven days OR - Periodically (at the frequency defined in the entity's targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1). This requirement is a best practice until 31 March 2025. |
These comprehensive requirements establish a robust framework for payment page security. To better understand how to implement these requirements effectively, let's break them down into their core controls.
Requirements 6.4.3 and 11.6.1 comprise four logical controls:
| Control | Description |
| Script Inventory - 6.4.3 (i) | You should have a list of all scripts that load on the payment page, and the justification for each of those scripts must be documented. |
| Script Authorization - 6.4.3 (ii) | Only scripts that are authorised should be loaded on the payment page. There must be a system to detect unauthorised scripts and block them. |
| Script Integrity - 6.4.3 (iii) | The content and behavioural integrity of the scripts loaded on the payment page must be maintained. There should be a system to detect scripts that violate their integrity and block them. |
| Page Integrity - 11.6.1 | The contents of the Payment page and the HTTP headers must be monitored on a regular basis to detect any major changes happening to them. |
Expert InsightImplementing the controls outlined in PCI DSS 4.0 requirements 6.4.3 and 11.6.1 is not just about compliance—it’s a strategic move to bolster the security of your payment pages.
By understanding and applying these four key controls, you can significantly mitigate the risk of front-end attacks and safeguard sensitive customer data. As you integrate these requirements into your security framework, consider how they align with your broader security and privacy goals and contribute to continuous improvement in your security posture.
