eCommerce Businesses: Focus on Security, PCI Compliance is a Result

There is a great deal of interest and focus on the new PCI requirements coming into force this month for eCommerce merchants:

• Requirement 6.4.3 - Script Monitoring.

• Requirement 11.6.1 - HTTP Header Monitoring.

And quite rightly so as these controls will help merchants to better identify and address malicious activity on their website.

In fact, requirement 6.4.3 - Checkout Script Monitoring, when combined with a detailed threat perspective (as we have from our forensic lineage) will quickly identify malicious scripts and enable the merchant to protect their customer data - and it would help to solve the majority of the problems that we've identified on over 30,000 eCommerce sites this last month with digital skimmers and loaders focused on stealing payment card data (and the supporting customer PII).

Requirement 11.5.2 - Less Hyped, But Supremely Effective

However, one of the key requirements that is overlooked in the hype that is building over these newly introduced requirements - is 11.5.2 File Change Monitoring.

Arguably, when combined with a market-leading threat detection capability, understanding the other changes made by the intruder at the time of introducing malware can SIGNIFICANTLY accelerate containment and resolution of the intrusion.

In our experience, this control - 11.5.2 - is rarely, if ever, found in hacked sites when we assist them to regain control of their site.

Why not?

It is challenging to implement and run.

Very few in the eCommerce industry seem to have the skills to implement effective change monitoring AND combine it with threat detection. Disparate systems, with a limited skills-base to use those systems means that effective file change monitoring is rarely implemented or maintained.

Yet, it is one of THE MOST USEFUL controls for quickly responding to an incident.

In ThreatView Advanced, when we detect the introduction of malware into a client website, the first thing we/our clients do is quarantine the malware.

The second thing we/our clients do is go to the file change events in ThreatView to see what other changes/files were introduced when the criminal dropped the malware onto the site. We search for what other changes may have been made so that we can quickly "undo" the damage.

Tick-Box Compliance or Security?

Now, it seems the industry is excitedly talking about solutions for 6.4.3 and 11.6.1, but without combining the solutions with excellent malware detection, the industry is simply creating more "noise" for the merchants to try to manage - and let's be frank - most of them are not cyber aware, nor do they have endless capacity to deal with "noise". In fact, more noise often results in "alert fatigue" and the stagnation of a solution.

So in the hype around these requirements, let's not lose sight of the huge benefit that they can bring WHEN COMBINED with market leading threat detection and threat intelligence (ie what does the latest malware look like, behave like etc).

Chasing tick-box compliance with simple script monitoring solutions may be alluring from a marketing and revenue perspective, but will it improve the outcomes for the ecosystem?

With over 20 years working in the PCI space (yes from before the PCI DSS was formed), we've seen many cases of tick-box compliance approaches being sold to a merchant portfolio, with little to no positive effect on the ecosystem. In fact, the situation in the eCommerce sector is getting worse.

Our eCommerce ThreatScape Report shows this - the number of hacked sites has grown from ~8,000 in early 2024 to ~30,000 in early 2025. Yes, our capability to detect is constantly evolving and improving, but the sheer growth in hacked sites shows that the most vulnerable in the industry need real security solutions.

How do we help?

With ThreatView, we provide support for 6.4.3 (and soon to support 11.6.1) in our free Community and Secure ($18/month) tiers - BUT the difference is we combine this with some of the industry's best threat intelligence, so our clients/users are able to quickly see the threat through the noise that script monitoring can generate.

With our ThreatView Advanced tier, which is currently priced at $59/month, we provide:

• Malware detection - as one of the leaders in the industry.

• Real-time checkout script monitoring (6.4.3)

• HTTP Header Monitoring (11.6.1)

• Full file change monitoring (11.5.2) -> this is provided "out of the box" and requires no cyber security skills to operate. But when it's needed, our clients are VERY grateful.

Our philosophy is simple: We focus on Security and PCI Compliance is a result.

We provide a free service and are happy to support a try-before you buy for our paid-for tiers. Get in touch with our support team via your free ThreatView account for more information.