top of page

PCI 4.0.1 - Complying with 6.4.3 and 11.6.1

  • Benjamin Hosack
  • May 1
  • 3 min read

Understanding PCI DSS 4.0.1 and How ThreatView Can Help


What is the PCI DSS?

The Payment Card Industry Data Security Standard (PCI DSS) is a set of guidelines that ensures the safety of card transactions worldwide. Created by the PCI Security Standards Council, these standards aim to protect against data theft and fraud in debit and credit card transactions.


PCI DSS 4.0.1 applies to all entities involved with cardholder data (CHD) and sensitive authentication data (SAD), including:

  • Merchants

  • Processors

  • Acquirers

  • Issuers

  • Service providers.


Recent Updates to PCI DSS 4.0.1 - for eCommerce Merchants

The PCI Security Standards Council recently announced important updates to requirements 6.4.3 and 11.6.1, focusing in on those eCommerce merchants using inline frames (iframes), however they also said that Self Assessment Questionnaire A merchants need to confirm that their site is not susceptible to attacks from scripts that could affect the merchant's eCommerce systems. In other words, while SAQ A merchants don't need to have these controls in place for validating their compliance, they still need to ensure they are secure.


Requirement 6.4.3: Managing Third-Party Scripts

This requirement mandates that websites processing digital payments must:

  • Confirm all third-party scripts on payment pages are authorised

  • Ensure script integrity

  • Maintain a complete inventory with written justification for each script.


While the implementation details are flexible, ThreatView simplifies compliance by:

  • Automatically, in real-time, maintaining an inventory across all pages, including payment pages

  • Displaying script payloads for each request

  • Monitoring code changes and updates

  • Alerting you to potentially malicious actions or unauthorised changes

  • We monitor in real time and report generation can be performed for any date in the prior 12 months to support your PCI DSS Compliance.


Script Inventory, Monitoring and Reporting PCI 6.4.3
Script Inventory, Monitoring and Reporting PCI 6.4.3

Requirement 11.6.1: Monitoring HTTP Headers for Changes

This more technically challenging requirement states that:

  • Personnel must be alerted to unauthorised changes in HTTP headers and payment page scripts

  • HTTP headers and payment pages must be evaluated when changes occur

  • Reports must be generated at least weekly (as per Requirement 12.3.1).


These requirements can be challenging to meet manually, especially given the dynamic nature of third-party JavaScript.


ThreatView addresses this by:

  • Monitoring all HTTP Headers and tracking changes.

  • Generating compliance reports on demand for any dates within the past 12 months.


Beyond Compliance: A Comprehensive Approach

While PCI DSS focuses on the payment pages, we expect these controls to drive change in the attacker tactics and so we strongly recommend monitoring of key security data points across your entire website.


ThreatView provides this comprehensive security by:

  • Tracking changes across all pages (PCI 11.5.2)

  • Monitoring for eCommerce-specific threats - ThreatView has one of the most comprehensive eCommerce threat detection capabilities in the industry

  • Supporting diagnostics and enabling rapid response when issues arise - for example, showing what changes have been made, with the ability to roll back those changes to quickly regain control.


How ThreatView Compares to Alternatives

Many traditional solutions focus solely on checking compliance boxes rather than delivering robust security:

Approach

Limitations

Crawler-based scanning

May miss hidden scripts and sophisticated database-driven attacks

Content Security Policies (CSPs)

Focus on script sources rather than payloads; challenged to detect breached sources or monitor dynamic script behaviour

Client-side JS detection ("Agents")

Set up traps that sophisticated attackers can detect and bypass; often miss dynamic or user-specific threats

The ThreatView Advantage

Drawing on 20 years of experience in PCI forensic investigations, ThreatView offers a multi-layered approach that combines:

  • Industry-leading e-commerce threat intelligence

  • Forensic-level file change monitoring (PCI 11.5.2)

  • Real-time checkout monitoring (PCI 6.4.3, 11.6.1)

  • Comprehensive threat detection across files, databases, and external connections


Our free tier supports PCI DSS 6.4.3 compliance, while ThreatView Advanced Edition provides comprehensive monitoring that supports requirements 6.4.3, 11.5.2, and 11.6.1 - and comes with a breach protection warranty.


Contact us today to learn more about how ThreatView can help secure your eCommerce environment while ensuring PCI DSS compliance.




 
 
 

留言


bottom of page