Responding to PCI DSS 4.0 for Website Owners

PCI Requirements – 6.4.3 and 11.6.1

Sections 6.4.3 and 11.6.1 of PCI DSS 4.0 detail the requirement for the management of all payment page scripts that are loaded and executed in the consumer’s browser.

The changes have been made to aid in the protection of ‘Magecart’ or web skimming attacks.

How to Comply with PCI DSS 4.0?

Website owners must monitor and manage the scripts loading on their websites to protect their customers from malicious card-skimming scripts.

RapidSpike continuously detects these client-side changes to your payment pages and produces a report with the findings.

When Will 4.0 Become Mandatory? 

PCI DSS 4.0 will be mandatory from 31st March 2025

Protect Customer Data With Complete Visibility

In-depth Website Script Inventory

Scripts include first-party scripts – files loaded from your own website, and third-party vendor scripts – files which have been loaded by third parties, such as plugins, live chat, advertising and more.

Section 6.4.3 of PCI DSS 4.0 requires an inventory of all scripts is maintained with written justification as to why each is necessary.

RapidSpike client-side security protects customers and your business reputation by strictly monitoring all data sent from your website. RapidSpike makes compliance easy, the PCI dashboard provides a comprehensive list of all of the scripts loading on your website. This information includes all files on your website, their path and the last time they were seen.

Generate a PDF or CSV audit report of the scripts loaded from the RapidSpike PCI dashboard. 

PCI Compliance Dashboard

Content Security Policies Errors

Content Security Policies can be used to manage the authorisation of scripts and other content from cross-site sources. 

Section 6.4.3 of PCI DSS 4.0 requires website owners to ensure a method is implemented to confirm that each script is authorised.

Any CSP errors found on pages RapidSpike monitor will be listed on the dashboard so you can review and understand why policies may need amending. 

Demonstrate compliance with an audit of CSP issues detected during monitoring.

Helping PrismRBS Protect 400+ Websites and Comply with PCI DSS 4.0

“RapidSpike has absolutely helped us to protect our long term brand reputation. Peace of mind goes a long way, the fact we are able to pull specific whitelists out of RS and tell clients exactly which external hosts they have communicated with is vital.

In the event the hack was re-implemented we would have known about it within the hour. RapidSpike was the first step in recovering our brand reputation.”

Jared Gammel, Associate Developer at PrismRBS

Achieve PCI DSS 4.0 Compliance with RapidSpike

Take our PCI DSS Basics Academy course to understand the PCI DSS 4.0 requirements, best practices and how to use RapidSpike’s dashboard to produce your report.

RapidSpike’s security team has been monitoring Magecart attacks since 2015. Our global award-winning security platform has been built to detect even the most advanced attacks comprising your website. We will monitor and help you respond to any data being sent from your website.