What is PCI DSS 4.0 Requirement 6.4.1 (JavaScript Integrity Controls)?

Summary

• Requirement 6.4.1 of PCI DSS 4.0 mandates that payment page scripts are authorized, inventoried, and integrity-checked.
• This control addresses growing risks from third-party JavaScript, such as skimmers and Magecart-style attacks.
• Merchants must maintain a list of all scripts, justify their business needs, and ensure they haven’t been tampered with.
• This is a response to real-world client-side breaches that happen in browsers—not just on servers.
• JavaScript integrity controls are now essential for protecting cardholder data at the point of entry.

What Does PCI DSS Requirement 6.4.1 Require?

PCI DSS 4.0 Requirement 6.4.1 requires entities to:

“Maintain an inventory of all scripts that are loaded and executed in the consumer’s browser on payment pages, and ensure each script is authorized and has a method to assure its integrity.”

In plain terms:

If your checkout page loads JavaScript—whether it’s first-party or from a third-party CDN—you must:

• Know what every script is doing
• Justify why it’s necessary
• Ensure it hasn’t been altered or injected maliciously

This requirement applies specifically to payment pages that collect account data, such as card numbers or CVVs.

Why Did PCI Add This Requirement?

Historically, PCI DSS focused on server-side protections: firewalls, encryption, access control. But many modern attacks now happen in the browser, not the server.

The threat:

• Third-party scripts (ads, analytics, plugins) are often loaded dynamically.
• Attackers inject malicious code into these scripts—often without the merchant knowing.
• These scripts silently exfiltrate cardholder data at the moment of entry.

High-profile breaches involving Magecart, formjacking, and digital skimming made it clear that client-side JavaScript needed formal controls.

Requirement 6.4.1 aims to reduce blind spots in the browser by enforcing visibility and validation of all executing scripts.

What Counts as an Integrity Control?

Integrity controls help verify that a script hasn’t been modified since it was approved. Common methods include:

• Subresource Integrity (SRI): Adds a cryptographic hash to script tags to ensure the content hasn’t changed.
• Content Security Policy (CSP): Limits which domains scripts can load from.
• File checksums or version control: Used to track first-party script changes.
• Client-side security platforms: Provide automated monitoring of JavaScript behavior and unauthorized changes.

The PCI DSS doesn’t mandate a specific method—but it does expect a documented approach that ensures script integrity.

What Should Merchants Do to Comply?

To comply with Requirement 6.4.1, organizations must:

1. Create and maintain a script inventory: List all scripts that load on payment pages, including third-party and inline scripts.
2. Document the business justification: Why is each script needed? What function does it serve?
3. Implement integrity validation: Choose one or more methods (SRI, CSP, monitoring) to ensure scripts are unaltered.
4. Monitor for changes: Set up alerts or monitoring tools that detect new or modified scripts.
5. Review regularly: Revalidate inventory and controls periodically, especially before audits.

FAQ

Conclusion

Requirement 6.4.1 of PCI DSS 4.0 marks a major shift in focus—from just back-end infrastructure to client-side risk. It acknowledges that many attacks happen right where sensitive data is entered: the browser.

To stay compliant and secure, merchants must:

• Maintain a live inventory of all JavaScript on payment pages
• Justify every script’s business purpose
• Implement robust integrity checks and change monitoring
• Detect unauthorized or injected scripts in real time

Without visibility into client-side activity, you’re blind to the most critical point in the payment flow.