- Docs
- PCI DSS Library
- Domdog x PCI DSS 4.0.1 -Responsibility Matrix
Domdog x PCI DSS 4.0.1 -Responsibility Matrix
Overview
This PCI DSS responsibility matrix helps Domdog customers and their Qualified Security Assessors (QSAs) during PCI DSS compliance audits. As specified in PCI DSS 4.0.1 requirements 12.8.5, the matrix outlines the responsibilities that Domdog and its customers must fulfil to maintain PCI DSS compliance.
PCI DSS and Domdog
Domdog's Page Security Manager is a comprehensive security and compliance solution that provides continuous monitoring and protection against web-skimming attacks while delivering actionable threat insights. The Page Security Manager helps organizations meet PCI DSS 4.0.1 requirements 6.4.3 and 11.6.1 for payment pages. Organizations can choose the security approach that best fits their needs—whether it's our JavaScript Agent, Remote Scanning, Content Security Policy, or any combination of these.
Core Technical Capabilities
- Script Inventory with Justification: Ability to maintain an inventory of JavaScripts on payment pages with justification
- Script Authorization: Ability to monitor and/or enforce only authorized scripts are loaded on payment pages
- Script Integrity: Ability to monitor and/or enforce scripts' behavioral integrity
- Page Integrity: Continuous real-time detection of unauthorized changes on payment pages, including HTTP headers and page content
- Alerting: When unauthorized changes are detected on payment pages, our system identifies what truly matters and delivers concise, actionable alerts
- Single Page Evidence Report: An evidence report that gives our customers and their QSAs instant access to complete compliance story—from implementation details to supporting evidence.
PCI DSS 4.0.1 Responsibility Matrix
Below is the responsibility matrix for requirements 6.4.3 and 11.6.1:
Requirement | Requirement Text | Domdog Responsibility | Customer Responsibility | Joint |
6.4.3 - Scripts Inventory & Management | All payment page scripts that are loaded and executed in the consumer's browser are managed as follows: • A method is implemented to confirm that each script is authorized. • A method is implemented to assure the integrity of each script. • An inventory of all scripts is maintained with written justification as to why each is necessary. This requirement is a best practice until 31 March 2025. | Joint responsibility | ||
11.6.1 - Page Integrity Monitoring | A change- and tamper-detection mechanism is deployed as follows: - To alert personnel to unauthorized modification (including indicators of compromise, changes, additions, and deletions) to the HTTP headers and the contents of payment pages as received by the consumer browser. - The mechanism is configured to evaluate the received HTTP header and payment page. - The mechanism functions are performed as follows: - At least once every seven days OR - Periodically (at the frequency defined in the entity's targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1). This requirement is a best practice until 31 March 2025. | Responsible |