Pass PCI DSS Requirements 6.4.3 & 11.6.1 While Protecting Your Users
CSPs and scanners may check the compliance box but they don't truly protect users. See how VikingCloud validated our PCI DSS solution.
"A simple PCI DSS solution backed by outstanding support"
Frederico Boyer, Director of Engineering, Amilia
.BPvDGijG_5QnWt.webp){kind=icon}
Why PCI DSS v4.0.1 Matters
Skimming and formjacking attacks are growing fast. They target the scripts in your customers' browsers, not your servers
6.4.3 and 11.6.1 now mandate a script inventory, real-time monitoring, and alerts for unauthorized changes.
CSPs, crawlers, and agents might tick the compliance box, but attackers easily slip past them.
How PCI Shield Works
Why QSAs recommend cside:
Trusted by enterprise security & compliance teams:
"cside's product was exactly what we were looking for at a fraction of the price that competitors were offering. It's helped us meet PCI compliance goals that previously seemed a bit overwhelming."
Software Developer, Anonymized Review on Sourceforge
Choose Your Security Approach
Select the method that best fits your security needs and technical requirements.
Script Method
EasiestWe check script behaviors in the browser and fetch the scripts on our side. We don't place ourselves in the path of a script unless you explicitly ask us to.
Pros
- Easy to implement
- No performance impact
- Able to block malicious scripts
- Deep security coverage for common client-side attacks
Implementation
- → Install a lightweight script on the pages you want to protect.
Scan Method
Fastestcside scans your website with an external crawler. Your scripts are compared against threat intel feeds gathered by thousands of other websites to identify compromised vendors or vulnerabilities.
Pros
- Lowest cost
- No-code setup without installation into your codebase
Cons
- • Static scans have very limited security coverage
- • Some QSAs may not accept scanners as a valid control for 6.4.3 & 11.6.1 as they do not have the ability to block scripts.
Implementation
- → Input a list of your domains and schedule your scans.
Designed for Teams Facing PCI Challenges
eCommerce
protect every checkout and maintain great acquirer relationships.
Payment Service Providers
offer compliant, value-add security to thousands of merchants.
Airlines & Transit
Complex booking flows and high-value tickets increase attack risk.
Hospitality
Credit cards used for travel are prime targets due to higher limits.
Why cside Outperforms Alternatives
cside delivers advantages traditional tools can't match.
| vs. Scanner Based Solutions | vs. Content-Security Policy (CSP) | vs. Client-Side Agents |
|---|---|---|
| Sees real user behavior, not sanitized crawler views | Monitors script behavior, not just sources | Multi-layer security to prevent JS detection bypassing |
| Catches attacks aimed at specific segments | Detects breaches at trusted third-party providers | Script contents fetched afterwards for deep inspection |
| Detects threats between periodic scans | Handles dynamic scripts CSPs can't control | Future-proof against evolving techniques |
Trusted As a Proven Solution by Leading QSAs
cside & BARR Advisory: What Auditors Expect to See for PCI 6.4.3 & 11.6.1
During the Q&A we addressed:
- What can I do if I have less than 30 days to set up my deployment?
- I'm using a scanner that monitors my site, no code or installation required. Am I covered?
- Do these PCI mandates require us to block attacks, or simply detect and alert on them?
cside & MegaplanIT: Q&A with a QSA on PCI DSS Requirements 6.4.3 & 11.6.1
During the Q&A we addressed:
- How do I confirm I'm "not susceptible to attacks" as an SAQ A-EP?
- How will AI agents impact payment page protection
- What will my QSA ask me during the evidence gathering interview for these requirements?
cside & VikingCloud: PCI Compliance 4.0.1, A Practical Implementation Guide
During the session we touched on:
- Why compliance ≠ security
- I use Stripe. Am I safe?
- Could we have suffered a client-side attack without knowing it?
- SAQ A merchants are not exempt from real risks
How to Comply with PCI DSS 4.0.1 Requirements 6.4.3 & 11.6.1
This article goes in depth into:
- 6.4.3 & 11.6.1 requirements
- The cost of building internally
- Is CSP + SRI enough? What counts as sufficient controls?
- How do I make sure I'm "not susceptible to attacks"?
We're one message away
As your partner for web security, we want you to be able to reach us easily. Every customer gets 1:1 access to our team over Slack and Microsoft Teams. We respond in minutes, whether you have a feature request, questions, or ideas.
Reduce PCI DSS compliance work with AI
cside was the first client-side security platform to integrate AI directly into the PCI DSS 6.4.3 & 11.6.1 compliance workflow. Our AI: automatically generates justifications that you can review or override, continuously monitors script changes to pre-classify risk for faster alerts to your team, and uses an agentic scanner to reduce the manual effort required for testing.
Why we use a multi-layer security approach
Unlike modern operating systems, browsers do not have native support for 3rd party security vendors. CSP and SRI only cover a limited surface. No single technique catches every client-side threat. That's why cside layers browser-level script monitoring, scanners, CSP controls, AI JavaScript analysis and more to create overlapping lines of defense that detect everything from simple tag injections to sophisticated supply chain attacks. By combining the detections in the browser with detections on our own proprietary engine we balance detection ability with ease of use.
3 easy steps to get started with cside
Getting started takes three steps: Sign up, add your domains, add the cside script to your site (and configure CSPs if necessary). Then you have an instant PCI DSS dashboard that you can tweak to your reporting requirements. The entire setup is self-service and can be done within a day for small environments. For enterprise environments our team can support you through the staging and production setup.
Does cside offer a free plan for PCI Shield?
Yes. cside's free plan lets you onboard your site, explore the dashboard, and see how scripts are monitored and classified before committing to a paid tier. Paid plans with full PCI compliance reporting and automated evidence generation start at $99/month. No "free tool" will give you full PCI DSS 6.4.3 and 11.6.1 coverage. We've seen many teams start with a promise of a free tool, only to switch later when they realize key PCI controls aren't fully covered or that reporting requires significant manual cleanup to meet audit standards.
Why customers choose cside over competitors
You can read our reviews to see for yourself (see G2 reviews or SourceForge reviews). What comes up again and again in reviews is hands-on support, a dashboard that QSAs already trust, and unlimited websites & domains on all pricing plans (other solutions may surprise you with additional costs for staging domains or multi-language sites).
FAQ
Frequently Asked Questions
Payment page script management is the focus of 6.4.3. It requires you to authorize every script, ensure script integrity, and keep a complete inventory with a written justification for why each script is important. 11.6.1 mandates you to have continuous monitoring to detect unauthorized changes to HTTP headers and payment page content, including alerts sent to personnel and weekly evaluations.
It is the latest version of the Payment Card Industry Data Security Standard with the aim of protecting cardholder data via strict security monitoring requirements. As long as your business processes, stores, or transmits credit card data, you must comply with these regulations to avoid hefty fines, higher insurance rates, and potential business disruption. This standard is applicable to all merchants, processors, acquirers, and service providers handling payment card data. Depending on your transaction volume and the severity of any breaches, failure to comply can result in fines ranging from thousands to millions of dollars.
Active and constant monitoring is required for 6.4.3, while a weekly monitoring, or at the frequency defined in your organization's targeted risk analysis, is required for 11.6.1. But, since cyberattacks happen in real-time at any moment, continuous monitoring is the best solution.
Penalties vary, but range from $5,000 to $500,000 per incident. This is based on your payment processor and transaction volume. Aside from fines, you may also face increased transaction fees, higher insurance premiums, loss of payment processing privileges, and high costs from data breach remediation and lawsuits. A payment card data breach exceeds $4 million on average when you include forensic investigations, legal fees, customer notifications, and business disruption.