TL;DR
- PCI DSS 4.0 Requirement 6.4.3 mandates strict controls over scripts that run on payment pages.
- It aims to stop client-side attacks like e-skimming and Magecart by enforcing script authorization, inventory, and integrity validation.
- Merchants and third-party service providers (TPSPs) must collaborate to maintain compliance.
- Feroot simplifies this process with real-time script monitoring and tamper detection tools.
Introduction
The Payment Card Industry Data Security Standard (PCI DSS) 4.0, issued a comprehensive set of requirements in March, 2024, to safeguard online payment systems against breaches and theft of cardholder data.
Requirement 6.4.3 is one of the critical components for businesses that take online payment and focuses on the management and integrity of scripts on webpages that take credit card payments.
We prepared this document to help you navigate this requirement and learn how security teams, QSA’s, and developers ensure they are compliant with Requirement 6.4.3. We’ll also show you how you can use Feroot to easily and accurately guarantee compliance.
What Requirement 6.4.3 Says (in Simple Terms)
PCI DSS 4.0 Requirement 6.4.3 requires organizations to:
- Maintain an inventory of all scripts running on payment pages.
- Ensure each script is authorized with a business justification.
- Use mechanisms like Subresource Integrity (SRI) or Content Security Policy (CSP) to validate and control scripts.
Why Requirement 6.4.3 Matters in PCI DSS 4.0
Payment pages are a primary target for attackers looking to steal customer payment data. Traditional server-side security isn’t enough—scripts that run in the browser can be silently hijacked or altered. That’s where PCI DSS 4.0 Requirement 6.4.3 comes in.
Introduced as part of the updated PCI DSS 4.0 framework, this requirement focuses on reducing client-side risk by putting guardrails around which scripts can run—and how they’re verified.
Who Must Comply?
Whether you’re a merchant, a third-party payment vendor, or a hybrid of both, this requirement applies if scripts execute in the browser on pages that handle payment data.
Responsibility Breakdown:
| Payment Flow | Who’s Responsible for 6.4.3? |
|---|---|
| Merchant-hosted checkout | The merchant (you own the scripts) |
| Embedded iframe (TPSP) | The TPSP (they control the checkout scripts) |
| Redirected payment page | The TPSP (scripts run on their domain after redirect) |
| Fully outsourced site | The TPSP (they own the whole frontend and backend) |
If you own any part of the payment page experience, you need to be managing your client-side scripts accordingly.
Risks of Non-Compliance: E-Skimming and Magecart
Hackers use techniques like e-skimming and Magecart attacks to inject malicious JavaScript into payment pages. These scripts silently capture credit card data and send it to external servers—without affecting the visual experience for the customer or triggering backend security tools.
These attacks:
- Bypass server-side controls
- Go undetected for weeks or months
- Put you at risk of fines, data breaches, and reputational harm
How to Comply: A Step-by-Step Guide
- Inventory Every Script on Payment Pages
Map out all JavaScript running on your payment page—marketing tags, analytics tools, SDKs, and more.
- Authorize Each Script
Document a business justification for every script. Ask: what does it do, who owns it, and why is it necessary?
- Apply CSP and/or SRI
- Use Content Security Policy (CSP) to define which domains are allowed to load scripts.
- Use Subresource Integrity (SRI) to ensure files haven’t been tampered with.
- Monitor Scripts Continuously
Don’t rely on one-time scans. You need ongoing visibility into what scripts are present and whether they’ve changed.
Tools That Power Compliance (and Go Beyond the Checkbox)
Staying compliant with PCI DSS 4.0 Requirement 6.4.3 isn’t just about identifying scripts; it’s about managing them continuously, minimizing risk, and documenting your controls in a way that satisfies auditors and protects customer data.
That’s where Feroot comes in. We don’t just help you pass 6.4.3. We operationalize it for you, with the following capabilities:
- Real-Time Script Inventory
Feroot automatically discovers every script running in your users’ browsers and maps source, domain, and behavior—giving you a live, accurate inventory at all times.
- Business Justification Engine
Easily classify and annotate each script with business justifications, helping you satisfy audit requirements without manual spreadsheets.
- Script Behavior Risk Scoring
We go beyond source validation to assess what each script actually does. If a previously approved script starts behaving suspiciously, you’ll know.
- Continuous Monitoring and Alerts
Feroot provides proactive alerts for any unauthorized script changes, additions, or spikes in behavioral risk—so you can respond before damage is done.
- CSP Builder and Policy Testing
Create and test browser security policies (Content Security Policy rules) safely, ensuring coverage without breaking functionality.
- Audit-Ready Reporting
Generate compliance documentation that clearly shows your inventory, controls, and script risk posture—ready for PCI DSS assessors when you need it.
With Feroot, Requirement 6.4.3 isn’t a checkbox—it’s a manageable, measurable, and secure process built into your operations. Read on for more details about some of Feroot’s core capabilities.
1. Feroot Inspector: A Vital Tool for Script Management
Feroot Inspector gives you an automated way to maintain an accurate inventory of all scripts and an easy way to assess which scripts are authorized and which ones are not.Use Access Insight Report and Page Details Scripts Report to:
- Confirm the authorization of each script, ensuring that only approved scripts are loaded and executed.
- Maintain an up-to-date inventory of scripts.
- Manage justifications and streamline script management and compliance efforts.
2. Feroot Threat Intelligence: Ensuring Script Integrity
To ensure the integrity of scripts, Feroot PageGuard evaluates scripts for vulnerabilities, malware, and malicious hosts. This proactive assessment helps to identify and mitigate potential threats before they can compromise the payment page.
3. Feroot DomainGuard: Activate and Manage Content Security Policy (CSP)
Feroot DomainGuard enhances your security posture by helping you quickly implement and maintain CSP. It restricts the locations from which scripts can be loaded, thereby preventing the substitution of unauthorized content on the payment page. This measure is used for maintaining the integrity of the payment transaction process. In a nutshell: Feroot DomainGuard is a hyper-scalable CSP solution for both mid-size and global enterprises.
4. Feroot PageGuard: Security Policy and Tag Controls
Feroot PageGuard further integrity and protection of payment page security by enabling you to set and enforce policies and controls to ensure only necessary scripts are loaded and access only permitted information. This minimizes the attack surface by eliminating backdoors and unpermitted data collection that can be exploited by attackers.
Summary: From Checkbox to Security Standard
PCI DSS 4.0 Requirement 6.4.3 is more than a compliance checkbox—it’s a crucial control to protect your customers from modern attacks. With Feroot, you can turn this requirement into a strength by securing the client side of your web applications.