Very few people know this, but passing a PCI audit has very little to do with having defensible evidence.
Your processor passed its last PCI assessment. Three months later, a merchant using your payment forms gets hit with a Magecart attack. Card brands start asking: What monitoring did you have on that checkout page? When did you detect the compromise? What evidence can you provide?
That’s when the gap becomes obvious. PCI DSS 4.0.1 introduced requirements for browser and app security that extend into merchant implementations. Your JavaScript executes on merchant checkout pages. Your SDKs run in merchant mobile apps. Your hosted payment fields render in environments you don’t control and often can’t see into.
The standard now requires managing scripts on payment pages and detecting unauthorized changes to those pages. Your infrastructure doesn’t touch those environments. Your audit probably doesn’t either.
What you’ll learn?
- You can pass a ROC and still fail the moment a merchant checkout gets skimmed, because incidents demand timelines and browser-layer evidence, not audit artifacts.
- PCI DSS 4.0.1 pushes service provider responsibility into merchant environments where your scripts and SDKs run, especially around script governance and unauthorized change detection.
- If you cannot observe what is executed next to your components on merchant checkout pages, you cannot defend 6.4.3 and 11.6.1 with proof, which is why client-side monitoring becomes the missing layer.
What PCI asks you to own as a service provider
Understanding the gap between ROC and ASV starts with understanding what you’re actually obligated to provide as a service provider. Your annual Report on Compliance and quarterly ASV scans validate infrastructure controls in your data centers, but your obligations extend beyond that perimeter.
Requirement 12.9 establishes that you’re responsible for the security of services you provide to merchants, not just the infrastructure those services run on. This means when you provide hosted payment fields or mobile SDKs, those become part of your service scope, and your Attestation of Compliance implicitly covers their security even when they execute in merchant environments.
This is where expectations from card brands and acquirers have shifted. They’re no longer asking “is your infrastructure secure?” but rather “can you show that your services are deployed securely across your merchant base?” Your annual ROC thoroughly covers your payment gateway, tokenization service, and fraud detection systems because those operate in your infrastructure.
But it barely touches the checkout pages where your JavaScript renders, even though those pages are still part of how merchants use your service. That makes them part of your service provider scope, which raises a natural question: what specific requirements in 4.0.1 actually affect how you operate?
The architectural problem behind the requirements
Three requirements directly impact processors who provide client-side payment services, and they all center on the same architectural challenge: your code operates in environments you don’t control.
Requirement 6.4.3 addresses script management on payment pages, which means when you provide payment forms, hosted fields, or drop-in UI components, you’re responsible for the security of your scripts even though they execute on merchant pages where you have limited visibility into the surrounding context
This creates a specific problem.
Your code operates in the merchant’s domain, which means a merchant could load your payment form on the same page as an analytics tracker that logs keystrokes, or they could implement your SDK in a mobile app that includes other third-party libraries, or they could wrap your hosted fields in custom JavaScript that handles data before your encryption activates.
You control what your code does, but you don’t control what else is on the page when your code executes.
That’s why Requirement 11.6.1 matters. It requires detecting changes to payment pages, and if your code runs on those pages, changes to the page environment directly affect your service. A merchant might add a new plugin next month, or someone might inject a skimming script that only activates during high-traffic hours. These changes happen outside your infrastructure, but they affect the security of services you provide.
For mobile implementations, Requirement 6.5.x creates the same dynamic. Your SDK might be secure in isolation, but it operates in an app environment you don’t control, which means you can’t see what else is in the merchant’s app bundle, what permissions the app requests, or how the merchant’s code handles data your SDK processes.
Which brings us to what you can actually enforce
The enforcement is divided into two landscapes:
- What you control directly versus
- What you can only influence through documentation and validation
You can enforce controls that execute in your infrastructure because you can reject non-HTTPS traffic, validate API keys, verify webhook signatures, and apply rate limits inside systems you own. What sits on the merchant side of the boundary, like CSP posture, embedding patterns, and implementation hygiene, is influence work.
You can document it, test for it during onboarding, and ship tooling around it, but you cannot force it in production.
When you cannot enforce, you end up validating.
You cannot enforce the merchant’s full page environment. You cannot stop them from loading third-party scripts you have never reviewed, modifying how your payment form is embedded, or running vulnerable plugins and stale CMS versions, because those decisions live in environments where you lack visibility and control.
In practice, processors fall back to the next best proxy: validating the implementation at go-live through site scans, integration reviews, and automated checks. The problem is that these controls are point-in-time. They tell you what checkout looked like on day one, not what changed three months later.
You can still monitor what you own, like API anomalies and SDK version adoption, but you cannot observe the browser execution environment where your JavaScript actually runs unless you instrument it. And once you cannot observe the environment, you cannot credibly prove what happened inside it when brands and acquirers start asking for evidence.
So what do you have to prove to card brands and acquirers
The evidence expectations for processors change depending on whether the conversation is an assessment or an investigation, because audits reward structured artifacts and incidents demand timelines. Your Attestation of Compliance defines the scope of services you provide as a service provider, and your QSA validates the controls inside processor-owned systems: API security architecture, encryption, access controls, vulnerability management, and incident response.
For infrastructure you operate, evidence is coherent because it is generated inside your perimeter: logs, scan results, penetration tests, network diagrams, and policy records all tell the same story.
Documentation can pass an audit. It cannot survive an incident.
That is why merchant-facing proof often starts as documentation. Integration guides, secure implementation requirements, and developer resources show intent, governance, and support, and in a routine assessment that can look like the full answer.
Incidents test something else. When a merchant experiences a client-side compromise, brands and acquirers stop asking what your controls are and start asking what you observed: what monitoring existed, when the issue was detected, what changed, and what actions followed. They want timelines, detection logs, response records, and communications, because that is the only defensible evidence when the breach happened outside your infrastructure.
Your ROC is point-in-time proof of infrastructure control, but breach questions require operational telemetry. If the honest answer is “we found out when the merchant told us,” then the service is effectively unmonitored at the exact point where PCI 4.0.1 concentrates risk.
Where your monitoring stops, and PCI 4.0.1 starts
Inside your perimeter, visibility is strong. You can track API calls, authentication failures, transaction processing signals, and fraud indicators, and you can produce logs that reconstruct what happened in systems you operate. The problem is that client-side compromise does not need to break your gateway to succeed. It can live on the merchant checkout page, in the scripts that load around your hosted fields, or in the wrappers that touch data before your service receives it.
The checkout environment is where your service runs, but not where your telemetry reaches.
You typically cannot see the full merchant checkout page, which scripts load there, what those scripts do, or whether any of them interact with payment fields. You also cannot reliably observe third-party tags, analytics tooling, chat widgets, or vendor updates that change browser behavior without a processor-side deployment. Your JavaScript executes in merchant browsers and your SDKs run in merchant apps, but you do not control those runtimes, which means the telemetry needed to substantiate 6.4.3 and 11.6.1 often exists outside your logging boundary.
PCI DSS 4.0.1 effectively asks for monitoring outcomes you cannot generate from infrastructure data alone. Requirement 11.6.1 expects detection of unauthorized changes to payment pages, yet detection requires visibility into the page where your component executes. Most processors bridge this gap with documentation and point-in-time onboarding checks, then respond when merchants report issues.
That posture is exactly what makes shared responsibility ambiguous during incidents, because brands and acquirers evaluate responsibility based on security outcomes and evidence, not contractual language.
This is what “shared responsibility” looks like in evidence.
The only thing that matters is who can control, observe, and evidence each layer.
| Req. | Processor controls | Processor monitors | Merchant responsibility | Owner |
| Payment API security | Authentication, encryption, rate limiting, input validation | API calls, response codes, authentication failures, suspicious patterns | API key security, proper integration implementation | Processor (full visibility and control) |
| Processor-provided scripts | Script content, delivery mechanism, update distribution, integrity verification | Script loading, basic errors, version adoption across merchant base | Proper implementation, page context security, CSP headers | Processor for script security, limited evidence for execution environment |
| Merchant page environment | Nothing directly | Nothing by default | Page security, CMS updates, hosting security, overall site maintenance | Merchant (processor has no visibility) |
| Third-party scripts on merchant pages | Nothing | Nothing | Vetting third-party vendors, monitoring for malicious scripts, removal when compromised | Merchant (affects processor service but outside control) |
| Mobile SDK implementation | SDK code, security features, update distribution, API communication | SDK initialization, basic usage patterns, version adoption | App security, proper SDK integration, permission handling, app-level data protection | Processor for SDK security, limited evidence for app environment |
| Browser execution monitoring | Nothing in merchant browsers | Nothing in merchant browsers | Their environment, but processor code executes there | Gap in current compliance posture for most processors |
The last row, browser execution monitoring, is where Requirement 11.6.1 applies but where you currently have no telemetry. And it becomes a practical problem during breach investigations when you need to demonstrate what monitoring you had in place.
Which raises the obvious question: how do you actually address this?
PaymentGuard AI addresses the gap by operating in the same environment
That matters because the client-side monitoring gap is not created by weak processor infrastructure, it is created by where execution happens. PCI DSS 4.0.1 concentrates requirements like script governance and change detection in the browser and app runtime, which is exactly where your hosted fields, drop-in UI, and SDKs run inside merchant implementations.
If you cannot observe that runtime, you cannot credibly prove what changed, when it changed, or what executed at checkout when brands and acquirers start asking for evidence.
PaymentGuard AI is built to sit in that execution layer. It monitors the pages where your components render, detects drift and suspicious client-side changes that affect the security outcome of your service, and produces an evidence trail that connects directly to 6.4.3 and 11.6.1 obligations. That shifts your posture from point-in-time onboarding validation to continuous observation, which is the only way to answer breach questions with timelines instead of assumptions.
Operationally, it also changes the shared responsibility conversation without pretending you own the merchant environment. Merchants still own their sites and apps, but processors can demonstrate reasonable diligence where their service actually executes, and that diligence shows up as logs, detections, and response records rather than documentation alone.
Deployment can match processor distribution models, whether white-labeled, referred, or bundled, but the compliance effect is the same: one monitoring layer scales across the merchant base and closes the visibility gap before the next investigation makes it your problem to explain.
Compliant and defensible
Defensibility is being able to answer three questions with timestamps: what was running next to your component, what changed, and when you knew. When brands and acquirers ask about 6.4.3 and 11.6.1 in an incident, they are not testing whether you understand shared responsibility. They are testing whether you can produce evidence from an environment you do not own.
So the nuance is that the path forward is not a fight over scope language. It is a decision about observability. Either the processor ecosystem accepts that client-side monitoring is now part of service delivery, or every Magecart-style event becomes the same ritual: merchants tell you late, infrastructure logs prove nothing, and shared responsibility collapses into a reputational problem you still have to carry.
The processor that wins is the one that can keep saying, calmly and accurately, “here is what was executed at checkout, here is when it changed, and here is what we did,” because in PCI 4.0.1, that is the difference between passing an audit and surviving the investigation that follows.
