PCI 4.0.1 - Complying with 6.4.3 and 11.6.1
- Benjamin Hosack
- May 1
- 3 min read
Understanding PCI DSS 4.0.1 and How ThreatView Can Help
What is the PCI DSS?
The Payment Card Industry Data Security Standard (PCI DSS) is a set of guidelines that ensures the safety of card transactions worldwide. Created by the PCI Security Standards Council, these standards aim to protect against data theft and fraud in debit and credit card transactions.
PCI DSS 4.0.1 applies to all entities involved with cardholder data (CHD) and sensitive authentication data (SAD), including:
Merchants
Processors
Acquirers
Issuers
Service providers.
Recent Updates to PCI DSS 4.0.1 - for eCommerce Merchants
The PCI Security Standards Council recently announced important updates to requirements 6.4.3 and 11.6.1, focusing in on those eCommerce merchants using inline frames (iframes), however they also said that Self Assessment Questionnaire A merchants need to confirm that their site is not susceptible to attacks from scripts that could affect the merchant's eCommerce systems. In other words, while SAQ A merchants don't need to have these controls in place for validating their compliance, they still need to ensure they are secure.
Requirement 6.4.3: Managing Third-Party Scripts
This requirement mandates that websites processing digital payments must:
Confirm all third-party scripts on payment pages are authorised
Ensure script integrity
Maintain a complete inventory with written justification for each script.
While the implementation details are flexible, ThreatView simplifies compliance by:
Automatically, in real-time, maintaining an inventory across all pages, including payment pages
Displaying script payloads for each request
Monitoring code changes and updates
Alerting you to potentially malicious actions or unauthorised changes
We monitor in real time and report generation can be performed for any date in the prior 12 months to support your PCI DSS Compliance.

Requirement 11.6.1: Monitoring HTTP Headers for Changes
This more technically challenging requirement states that:
Personnel must be alerted to unauthorised changes in HTTP headers and payment page scripts
HTTP headers and payment pages must be evaluated when changes occur
Reports must be generated at least weekly (as per Requirement 12.3.1).
These requirements can be challenging to meet manually, especially given the dynamic nature of third-party JavaScript.
ThreatView addresses this by:
Monitoring all HTTP Headers and tracking changes.
Generating compliance reports on demand for any dates within the past 12 months.
Beyond Compliance: A Comprehensive Approach
While PCI DSS focuses on the payment pages, we expect these controls to drive change in the attacker tactics and so we strongly recommend monitoring of key security data points across your entire website.
ThreatView provides this comprehensive security by:
Tracking changes across all pages (PCI 11.5.2)
Monitoring for eCommerce-specific threats - ThreatView has one of the most comprehensive eCommerce threat detection capabilities in the industry
Supporting diagnostics and enabling rapid response when issues arise - for example, showing what changes have been made, with the ability to roll back those changes to quickly regain control.
How ThreatView Compares to Alternatives
Many traditional solutions focus solely on checking compliance boxes rather than delivering robust security:
Approach | Limitations |
Crawler-based scanning | May miss hidden scripts and sophisticated database-driven attacks |
Content Security Policies (CSPs) | Focus on script sources rather than payloads; challenged to detect breached sources or monitor dynamic script behaviour |
Client-side JS detection ("Agents") | Set up traps that sophisticated attackers can detect and bypass; often miss dynamic or user-specific threats |
The ThreatView Advantage
Drawing on 20 years of experience in PCI forensic investigations, ThreatView offers a multi-layered approach that combines:
Industry-leading e-commerce threat intelligence
Forensic-level file change monitoring (PCI 11.5.2)
Real-time checkout monitoring (PCI 6.4.3, 11.6.1)
Comprehensive threat detection across files, databases, and external connections
Our free tier supports PCI DSS 6.4.3 compliance, while ThreatView Advanced Edition provides comprehensive monitoring that supports requirements 6.4.3, 11.5.2, and 11.6.1 - and comes with a breach protection warranty.
Contact us today to learn more about how ThreatView can help secure your eCommerce environment while ensuring PCI DSS compliance.
留言