Skip to main content
Blog
Blog

PCI DSS 4.0.1 Requirements 6.4.3 and 11.6.1: The Client-Side Compliance Guide

Clause-by-clause breakdown of PCI DSS 6.4.3 and 11.6.1: the control text, the 2025-03-31 date, and the evidence each control produces for a QSA audit.

Jul 14, 2026 8 min read
PCI DSS 4.0.1 Requirements 6.4.3 and 11.6.1: The Client-Side Compliance Guide

PCI DSS 4.0.1 requirements 6.4.3 and 11.6.1 govern the scripts and HTTP headers on your payment pages. 6.4.3 makes you inventory, authorize, and assure the integrity of every script. 11.6.1 makes you detect and alert on unauthorized changes to that page's scripts and security headers. Both have been mandatory since 2025-03-31. This guide breaks down each clause, what it means for the page in production, and the specific evidence a QSA expects it to produce.

These two requirements exist because of e-skimming. Magecart-style attackers do not breach your server. They alter a script the browser loads, then capture cardholder data straight from the form as the user types it. A processor iframe does not cover the page that frames it. cside lives in that exact gap: it records every script real browsers execute on the payment page, captures authorization, and flags integrity and header changes as they happen.

What requirement 6.4.3 actually requires

6.4.3 sets three obligations for every payment-page script. Read each as a separate clause, because a QSA will:

  1. A method confirms each script is authorized before it loads or executes.
  2. A method assures the integrity of each script.
  3. An inventory of scripts is maintained with a written justification for why each is necessary.

"Authorized" and "necessary" are the two words that trip teams up. Authorization is a recorded decision: a named approver signed off that this script may run on a page in cardholder-data scope. Justification is the business reason it exists. A tracking pixel marketing added last quarter usually has neither, which is exactly the kind of finding 6.4.3 surfaces.

Scope is wider than first-party code. The control covers every script the browser executes on the page: your own bundles, third-party SDKs, and the fourth-party scripts those vendors pull in at runtime. A tag manager that injects three more scripts after page load is three more entries in your inventory, and those entries change without a deploy on your side.

The PCI SSC lists Subresource Integrity (SRI) hashes and Content-Security-Policy as example integrity mechanisms. They hold for static assets. They break the moment a script is dynamic. An analytics tag or A/B tool that updates legitimately invalidates the hash, so a pinned SRI either blocks a good update or gets removed and stops protecting anything. Content Security Policy has the same limit: it cannot vouch for what an allowed script does at runtime. That is why integrity for real payment pages has to be assessed on what executed, not on a hash set at build time.

What requirement 11.6.1 actually requires

11.6.1 is a detection control, not a management one. It requires a change-and-tamper-detection mechanism that does two things:

  • Alerts personnel to unauthorized modification (including indicators of compromise, changes, additions, and deletions) of the HTTP headers and the content of payment pages as received by the consumer browser.
  • Evaluates the received headers and page content at a frequency set by your targeted risk analysis under requirement 12.3.1, or at least once every seven days.

The phrase "as received by the consumer browser" carries the requirement. 11.6.1 is not asking what your CDN served or what your repo contains. It asks what the browser rendered, after every redirect, injection, and runtime modification. A skimmer reads navigator.webdriver, missing automation properties, and the absence of real interaction to recognize a scanner, then serves clean code to it and the payload to a human. A control that only sees the scanned version never fires.

HTTP headers are in scope because they are an attack surface, not a config detail. A weakened or stripped Content-Security-Policy header lets a malicious script load that the policy was meant to block. 11.6.1 wants you to notice the header changed at all, and to notice on the delivered response, not in your origin config.

How the two requirements split the work

6.4.3 governs what you allow; 11.6.1 governs what happened on the page.

QuestionRequirementWhat it governsFailure mode it catches
Which scripts are allowed here, and why?6.4.3Authorization, justification, integrity, inventoryAn unapproved or undocumented script in scope
Did the page or its headers change without approval?11.6.1Detection and alerting on script and header changesA live tamper the inventory never noticed
How often do we check the delivered page?11.6.1 + 12.3.1Frequency, with a seven-day floorStale checks that miss transient changes

Treat them as one loop, not two projects. An inventory with no live detection is a list that goes stale the moment a vendor pushes an update. Detection with no inventory produces alerts nobody can triage, because there is no baseline of what "authorized" looks like.

The evidence each control has to produce

A QSA assesses compliance from artifacts. Map each clause to the record it generates so you can hand over the exact thing they ask for.

ClauseEvidence artifactWhat it has to show
6.4.3 inventoryScript inventory tied to in-scope pagesEvery script's URL, owner, and last-seen version
6.4.3 authorizationApproval record per scriptWho approved it, when, and the data it touches
6.4.3 justificationBusiness-reason note per scriptWhy the script is necessary on a payment page
6.4.3 integrityIntegrity historyHow each script is confirmed unaltered over time
11.6.1 detectionChange log with alertsTimestamp, diff, page, and who was notified
11.6.1 header evaluationHeader history per pageSecurity-header values and changes between loads
11.6.1 frequencyRisk analysis + check cadenceThe 12.3.1 justification and proof checks ran

The artifact teams most often lack is integrity history and header history over time. A single snapshot proves the page was clean once. A QSA assessing 11.6.1 wants evidence you would have caught a change: a timestamped record across many real page loads, not one screenshot.

Why a processor does not close this for you

A common assumption is that hosting payment fields in a Stripe, Adyen, or Braintree iframe pushes 6.4.3 and 11.6.1 onto the processor. It does not. The iframe is sandboxed, but the merchant page that frames it is not. Your analytics, A/B tooling, session-replay, and chat widgets all run in the same top-level browser context, and a script there can read the DOM, overlay a fake input field on top of the iframe, or redirect the form on submit. The January 2025 SAQ A update narrowed eligibility because so few real payment pages are free of third-party scripts, and it added a criterion that you confirm your site is not susceptible to script-based attacks, which is hard to prove without monitoring. The requirements stay with the page you serve.

Why the threat keeps getting harder to scan for

The reason 11.6.1 insists on the delivered page is that attacker tooling is built to defeat anything that isn't real. Headless and instrumented browsers leak: a navigator.webdriver flag, missing chrome runtime objects, Chrome DevTools Protocol Runtime artifacts, and impossible timing all mark a session as non-human. Skimmers fingerprint those signals and stay dormant for crawlers and synthetic checks.

Evasion tooling has moved the other way too. cside's research report on the future of web security found that playwright-stealth, automation tuned to suppress those leaks, was roughly ten times more widely used by the end of 2025. The practical takeaway for 6.4.3 and 11.6.1: integrity and change detection have to run where the cardholder data is actually entered, in the real browser session, not from an external vantage point an evasive script can identify and hide from.

How cside produces this evidence at the browser layer

cside instruments the payment page in real browsers, which is the surface both requirements point at.

  • For 6.4.3, it captures the full script inventory, including the fourth-party scripts vendors pull in at runtime, records authorization and justification beside each entry, and keeps an integrity history so you can prove a script stayed intact between versions.
  • For 11.6.1, it monitors script content and HTTP security headers on the delivered page, diffs them across loads, and alerts on unauthorized change, with a timestamped record that answers the 12.3.1 frequency question without a manual weekly pull.
  • It also surfaces the runtime payload of each script and pairs script behavior with device, real-IP, and VPN/proxy signals, so a flagged change comes with context instead of a bare hash mismatch.

Because it watches what executed rather than what a scanner was shown, cside captures the same browser evidence an e-skimming attacker tries to hide. That aligns the compliance workflow with the real threat. For the operational rollout and the QSA-reporting view, the guides below go deeper.

Further reading on cside

As of 2026-06-18, treat this as operational guidance, not legal advice. Confirm the exact control language with your QSA, counsel, or risk owner.

Simon Wijckmans
Founder & CEO

Founder and CEO of cside. Previously a product manager on Cloudflare Page Shield (now Cloudflare Client-Side Security). Co-chair of the W3C Anti-Fraud Community Group and a Forbes 30 Under 30 honoree. Building accessible security against client-side attacks — web security is not an enterprise-only problem.

FAQ

Frequently Asked Questions

No. They sit next to each other but govern different work. 6.4.3 is a script-management control: you decide which scripts are allowed on a payment page, record why, and assure each one's integrity. 11.6.1 is a change-detection control: a mechanism watches the delivered page and its HTTP security headers for unauthorized modification and alerts personnel. You can pass a 6.4.3 inventory review and still fail 11.6.1 because nothing was watching production when a vendor pushed a silent update.

No. A processor secures its own hosted fields or iframe. 6.4.3 and 11.6.1 attach to the merchant page that frames that iframe, because your analytics, tag manager, A/B tooling, and chat widget all execute in the same top-level browser context and can be tampered with. The processor's Attestation of Compliance does not transfer those controls to your page. You still own the inventory, the authorization, and the change detection on everything you serve.

11.6.1 points at requirement 12.3.1, which lets you set the detection-and-alert frequency from a documented targeted risk analysis, with a floor of at least once every seven days. A risk analysis that justifies weekly checks is acceptable on paper, but a tamper that appears after one scan and is cleaned before the next leaves no trace in a periodic record. Continuous monitoring closes that window and produces a timestamped log instead of a weekly snapshot.

A Content-Security-Policy controls where a script may load from, not what an already-allowed script does once it runs, and an attacker who can weaken or strip the CSP header turns the control off. An external crawler scans from a fixed set of cloud IPs, so a skimmer can serve clean code to the scanner and the malicious payload to a real shopper. 11.6.1 asks what the consumer browser received, which is why both controls leave a gap that browser-level monitoring fills.

Monitor and Secure Your Third-Party Scripts

Gain full visibility and control over every script delivered to your users to enhance site security and performance.

Start free, or try Business with a 14-day trial.

cside dashboard interface showing script monitoring and security analytics
Related Articles
Book a demo