Skip to main content
Blog
Blog

Does Stripe Make You PCI Compliant? What PCI DSS 6.4.3 & 11.6.1 Still Require

Stripe shrinks your PCI DSS scope and can move you to SAQ A, but it does not make your site fully compliant. Requirements 6.4.3 and 11.6.1 stay yours.

Jul 09, 2026 8 min read
Does Stripe Make You PCI Compliant? What PCI DSS 6.4.3 & 11.6.1 Still Require

Does using Stripe make you PCI compliant?

No. Using Stripe shrinks your PCI DSS scope and can move you to the shorter SAQ A self-assessment, but it does not make you fully compliant. Stripe certifies its own systems, not your website. PCI DSS 4.0.1 requirements 6.4.3 and 11.6.1 govern the scripts on your payment page, and that page still loads in your customer's browser. They stay your responsibility.

E-commerce and compliance teams often overlook this gap. Offloading card capture to a processor is valuable: it removes cardholder data from your servers and cuts the number of controls you self-attest to. But "we use Stripe" answers a question about where card numbers are processed. It does not answer the question PCI DSS 4.0.1 now asks: what is every script doing in the browser while your customer types their card?

What Stripe actually covers (and what it does not)

Stripe is a PCI DSS Level 1 service provider, and you can use Stripe for PCI DSS scope reduction. When you use Stripe Elements, hosted fields, or Stripe Checkout, the card number is entered into an iframe served and controlled by Stripe. The sensitive data lands in Stripe's environment, not yours. That is the scope reduction you are paying for, and it is real.

What Stripe does not do is take ownership of the page that surrounds its iframe. Your checkout page is still served from your domain, assembled by your stack, and decorated with your scripts: analytics, tag managers, session replay, chat, fraud SDKs, and whatever a marketing team added last quarter. Those scripts run in the same browser as the payment flow.

ConcernStripe covers itYou still own it (6.4.3 / 11.6.1)
Card number entry and storageYes, inside Stripe's hosted iframeNo
Stripe's own PCI DSS attestationYes, as a Level 1 service providerNo
Third-party scripts on the payment pageNoYes, inventory and justify each one (6.4.3)
Integrity of those scripts (no tampering)NoYes, confirm integrity (6.4.3)
Tamper and change detection plus alertingNoYes, deploy a mechanism (11.6.1)
Security-impacting HTTP headersNoYes, monitor for unauthorized change (11.6.1)
Your merchant SAQ and AoCNoYes, you self-assess and attest

The split is clean. Stripe owns the card data, you own the browser environment around it. PCI DSS 4.0.1 made that second column explicit.

What do requirements 6.4.3 and 11.6.1 actually require?

Both requirements were introduced to address client-side attacks, where malicious code is injected into scripts that run in the customer's browser. They became mandatory on 31 March 2025 (PCI Security Standards Council, PCI DSS v4.0.1).

Requirement 6.4.3: manage your payment-page scripts. For every script loaded and executed on the payment page in the consumer browser, you must:

  • Maintain an inventory of all scripts, with written justification for why each one is necessary.
  • Authorize each script before it is added or changed.
  • Confirm the integrity of each script by verifying it has not been modified without authorization.

Requirement 11.6.1: detect tampering and alert. You must deploy a change-detection and tamper-detection mechanism that:

  • Alerts personnel to unauthorized modification of the HTTP headers and the scripts of the payment page, as received by the consumer browser.
  • Evaluates the received page at least once every seven days, or at a frequency defined by your targeted risk analysis.

6.4.3 says know and authorize your scripts, and 11.6.1 says watch them in real-time and alert when they change. Neither is satisfied by your payment processor, because neither is about where the card data goes. They are about what runs in the browser. For a step-by-step walkthrough, see our practical guide to PCI 6.4.3 and 11.6.1 compliance.

Do these requirements apply to me if I am SAQ A?

Teams get caught here. SAQ A is the shortest self-assessment, reserved for merchants who fully outsource cardholder data handling. It is tempting to read "fully outsourced" as "nothing client-side to worry about." That is no longer how the PCI SSC treats it.

The January 2025 SAQ A removed 6.4.3 and 11.6.1 from the questionnaire itself, then added a new eligibility criterion in their place. To use SAQ A you now have to confirm that your payment page is not susceptible to attacks from scripts that could affect your e-commerce systems, and that every element delivered to the browser comes directly from a PCI DSS compliant processor (PCI Security Standards Council, 2025). Merchants who cannot make that confirmation drop out of SAQ A and have to satisfy the payment-page script requirements directly. Either way, browser-side script risk is now your problem. Confirm your current SAQ A version and its eligibility criteria against the PCI SSC Document Library before you assume you are out of scope.

The change traces back to a specific event. The 2024 Polyfill[.]io incident showed how a single trusted third-party script, embedded on more than 490,000 sites, can be turned malicious overnight and serve skimming or redirect code to checkout pages (Sansec, 2024). A merchant on SAQ A with Stripe Checkout was just as exposed as anyone else, because the malicious script rode in on the merchant's own page, not Stripe's.

Why the payment page is still your attack surface

The core problem is where code runs. Stripe's iframe isolates the card fields, but client-side attacks rarely target the card field directly. They target the page around it.

  • Form overlays. A compromised script can draw a fake card form on top of, or alongside, Stripe's iframe and capture data before it reaches Stripe.
  • Checkout redirection. Injected code can send a shopper to a spoofed payment page mid-flow.
  • Data harvesting. A tampered analytics or chat script can read name, email, address, and order details from the DOM and exfiltrate them to an attacker-controlled domain.
  • Header weakening. Modified security-impacting HTTP headers such as Content-Security-Policy can open the door for the scripts above, which is why 11.6.1 names headers explicitly.

E-skimming is not a rare edge case. Magecart-style web skimming has hit thousands of e-commerce sites, and the technique persists because the browser is hard to monitor from the server. In the 2024 Verizon DBIR, payment card data accounted for 25% of breached records in the retail sector, and retail is named as the home turf of Magecart actors who insert malicious code into checkout pages (Verizon, 2024). Your server logs and Stripe's dashboard will both look normal while a skimmer runs in your customers' browsers.

This is why the requirements live in the browser, not the backend. To learn how these attacks bypass server-side controls, see our guide to client-side security.

How to satisfy 6.4.3 and 11.6.1 in practice

You can meet these requirements manually: keep a spreadsheet of every script, justify each, hash them, and check the rendered payment page weekly for changes. For a site with a handful of static scripts, that might hold. For a real checkout where a tag manager injects scripts dynamically, the manual approach breaks down fast and produces evidence auditors distrust.

The operational answer is continuous, automated script monitoring built for the payment page. cside PCI Shield is designed to satisfy both requirements directly:

  • Automated inventory and justification (6.4.3). cside discovers every script running on your payment page, builds the inventory, and lets you record authorization and justification in one place, with one-click and AI-assisted review.
  • Real-time integrity and tamper detection (11.6.1). cside monitors scripts and security-impacting HTTP headers continuously and alerts on unauthorized change, rather than sampling on a weekly cron and hoping nothing slipped through between checks.
  • Audit-ready evidence. cside archives every script version with full history, so you hand a QSA forensic records instead of behavioral guesses.

The point is not to replace Stripe. Stripe and a script-monitoring layer solve different halves of the same compliance picture: Stripe takes card data out of scope, and cside covers the browser-side requirements Stripe leaves with you.

The bottom line

Using Stripe is a smart way to shrink PCI scope, and it can put you on SAQ A. It does not make you fully PCI compliant, because requirements 6.4.3 and 11.6.1 hold you responsible for the scripts and headers on your payment page, where Stripe's hosted fields have no reach. Those requirements are mandatory, and SAQ A eligibility itself now depends on confirming your payment page is protected against script tampering.

Treat the payment page as your attack surface, inventory and authorize every script, and deploy real-time tamper detection. For the operational side of that, see cside PCI Shield and client-side security, or book a demo to walk through your checkout.

Simon Wijckmans
Founder & CEO

Founder and CEO of cside. Previously a product manager on Cloudflare Page Shield (now Cloudflare Client-Side Security). Co-chair of the W3C Anti-Fraud Community Group and a Forbes 30 Under 30 honoree. Building accessible security against client-side attacks — web security is not an enterprise-only problem.

FAQ

Frequently Asked Questions

No. Stripe is a PCI DSS Level 1 service provider, and using its hosted fields or Checkout shrinks your PCI scope and can qualify you for the shorter SAQ A. But PCI compliance is still your responsibility as the merchant. Stripe handles the cardholder data it processes on its own systems. It does not certify your website. PCI DSS 4.0.1 requirements 6.4.3 and 11.6.1, which cover the scripts running on your payment page, remain your obligation even when Stripe processes the payment.

Requirement 6.4.3 says you must manage every script that loads and executes in the browser on your payment page. For each script you have to keep an inventory, written justification for why it is needed, and a method to confirm its integrity, meaning it has not been changed without authorization. The goal is to stop unauthorized or tampered scripts from skimming cardholder data in the customer's browser.

Requirement 11.6.1 says you must deploy a change-detection or tamper-detection mechanism that alerts you when the scripts on your payment page, or its security-impacting HTTP headers, are modified. The mechanism has to evaluate the payment page as received by the consumer browser at least every seven days, or at a frequency set by your targeted risk analysis. It exists to catch Magecart-style e-skimming injected into client-side code.

Indirectly, yes. The January 2025 SAQ A removed requirements 6.4.3 and 11.6.1 from the questionnaire itself, but the PCI SSC added a new eligibility criterion: you must confirm your payment page is not susceptible to attacks from scripts that could affect your e-commerce systems, and that all elements delivered to the browser originate directly from a PCI DSS compliant processor (PCI Security Standards Council, 2025). Merchants who cannot confirm that cannot use SAQ A and must satisfy the payment-page script requirements directly. Confirm your current SAQ A version against the PCI SSC Document Library.

Because the page itself still loads in your customer's browser, on your domain, with your scripts around it. Stripe's hosted iframe protects the card number entry, but it does not control the analytics tags, chat widgets, A/B testing tools, and other third-party scripts that share the page. A compromised script can overlay a fake form, redirect the checkout, or read what it should not. That browser-side risk is what 6.4.3 and 11.6.1 address.

cside PCI Shield builds and maintains the script inventory, captures justification, and monitors every script on your payment page for unauthorized change in real-time, alerting on tampering of scripts and security-impacting HTTP headers. It archives every script version with full history, so you hand a QSA forensic records instead of behavioral guesses. cside PCI Shield is QSA-validated to pass PCI DSS 4.0.1 requirements 6.4.3 and 11.6.1.

Monitor and Secure Your Third-Party Scripts

Gain full visibility and control over every script delivered to your users to enhance site security and performance.

Start free, or try Business with a 14-day trial.

cside dashboard interface showing script monitoring and security analytics
Related Articles
Book a demo