PCI Shield
Pass PCI 4.0.1 While Protecting Your Users
CSPs, JS agents, and crawlers may check the compliance box but they don't truly protect users. See how VikingCloud validated our PCI DSS solution.
CSPs, JS agents, and crawlers may check the compliance box but they don't truly protect users. See how VikingCloud validated our PCI DSS solution.
Skimming and formjacking attacks are growing fast. They target the scripts in your customers' browsers, not your servers
6.4.3 and 11.6.1 now mandate a script inventory, real-time monitoring, and alerts for unauthorized changes.
CSPs, crawlers, and agents might tick the compliance box, but attackers easily slip past them.
cside is no longer just a hybrid proxy. Select the mode that best fits your security needs and technical requirements.
I care about client-side security and I need something that will be easy to explain to the rest of the team.
We check script behaviors in the browser and fetch the scripts on our side. We don't place ourselves in the path of a script unless you explicitly ask us to.
Operating Model: Allow the script to serve directly for scripts I trust, scripts I don't trust get the full security treatment.
I'm a high value target and need full security control.
We check script behaviors and cside places itself in the middle between the uncontrolled third-party and the end user - only script you didn't tell us not to place ourself in the middle of.
Operating Model: All scripts pass through cside except some.
I don't have the ability to add a script to the website.
cside threat intel gathered by thousands of other websites with combined billions of visitors.
Operating Model: Static scanning powered by threat intelligence from our network.
Unlike modern operating systems, browsers do not have native support for 3rd party security vendors. CSP and SRI only cover so much, so we got to get creative. Most client-side detections using JavaScript in the browser are easy to reverse engineer and circumvent. Unfortunately, too strict client-side detections could break some client-side libraries. What a script for client-side security essentially does is wrap APIs that can be used by bad actors and monitor which scripts use them. The problem is that not every script plays nicely with that. So for that reason, we've taken a much more elaborate approach for the most security conscious users. By combining the detections in the browser with detections on our own engine using our proprietary gate-keeping engine we create a balanced best of all worlds scenario. Balancing detection ability with ease of use with resilience and ultimately giving the customer the ability to choose the approach.
protect every checkout and maintain great acquirer relationships.
offer compliant, value-add security to thousands of merchants.
Complex booking flows and high-value tickets increase attack risk.
Credit cards used for travel are prime targets due to higher limits.
Watch the complete discussion between cside and VikingCloud experts covering the latest PCI DSS 4.0.1 requirements, e-skimming prevention strategies, and practical implementation guidance for requirements 6.4.3 and 11.6.1.
Our hybrid proxy delivers advantages traditional tools can't match.
| vs. Crawler-Based Solutions | vs. Content-Security Policy (CSP) | vs. Client-Side Agents |
|---|---|---|
| Sees real user behavior, not sanitized crawler views | Monitors script payloads, not just sources | Undetectable monitoring attackers can't bypass |
| Catches attacks aimed at specific segments | Detects breaches at trusted third-party providers | Complete historical script behavior tracking |
| Detects threats between periodic scans | Handles dynamic scripts CSPs can't control | Future-proof against evolving techniques |
FAQ
Frequently Asked Questions
Requirement 6.4.3 focuses on payment page script management, requiring you to authorize every script, ensure their integrity, and maintain a complete inventory with written justification for each script's necessity. Requirement 11.6.1 mandates continuous monitoring to detect unauthorized changes to HTTP headers and payment page content, with alerts sent to personnel and evaluations performed at least weekly.
PCI DSS 4.0.1 is the latest version of the Payment Card Industry Data Security Standard that protects cardholder data through strict security monitoring requirements. If your business processes, stores, or transmits credit card information, you must comply with these regulations to avoid hefty fines, higher insurance rates, and potential business disruption. The standard applies to all merchants, processors, acquirers, and service providers handling payment card data. Non-compliance can result in fines ranging from thousands to millions of dollars, depending on your transaction volume and the severity of any breaches.
PCI DSS requirement 6.4.3 requires active and constant monitoring, while 11.6.1 requires monitoring to occur at least once every seven days, or at the frequency defined in your organization's targeted risk analysis. However, given that cyberattacks happen in real-time and malicious scripts can be injected at any moment, continuous (real-time) monitoring provides the best protection.
Non-compliance penalties vary based on your payment processor and transaction volume, but fines typically range from $5,000 to $500,000 per incident. Beyond fines, you may face increased transaction fees, higher insurance premiums, loss of payment processing privileges, and significant costs from data breach remediation and lawsuits. The average cost of a payment card data breach exceeds $4 million when factoring in forensic investigations, legal fees, customer notification, and business disruption.
During a PCI DSS audit, qualified security assessors will review your compliance documentation, test your security controls, and verify that you're meeting all applicable requirements. For requirements 6.4.3 and 11.6.1, auditors will examine your script inventory, review authorization documentation, test your monitoring systems, and verify that you're detecting unauthorized changes. Having automated monitoring with cside means your compliance documentation is always current and audit-ready, with detailed logs, weekly reports, and clear evidence of continuous monitoring that auditors can easily review and validate.
Proxy-based solutions provide the most comprehensive protection because they intercept and analyze every script request in real-time, rather than just scanning periodically or relying on browser-based detection that attackers can bypass. cside's proxy approach ensures complete visibility into script behavior, immediate threat blocking capabilities, and accurate compliance reporting that captures all script variations. This method has been independently audited and approved by Viking Cloud, giving you confidence that your compliance strategy meets the highest industry standards while providing superior security protection.