This site uses cookies and other technologies that let us and the companies we work with collect information about your device and usage of the site to enable functionality, analytics, and advertising. See our Cookie Notice for details.

Find out more in our privacy policy and cookie notice.

PCI Shield

Pass PCI DSS Requirements 6.4.3 & 11.6.1 While Protecting Your Users

CSPs and scanners may check the compliance box but they don't truly protect users. See how VikingCloud validated our PCI DSS solution.

checkout.yoursite.com

Complete Payment

PCI DSS 4.0 Protected

"A simple PCI DSS solution backed by outstanding support"

Frederico Boyer, Director of Engineering, Amilia

Why PCI DSS v4.0.1 Matters

Skimming and formjacking attacks are growing fast. They target the scripts in your customers' browsers, not your servers

6.4.3 and 11.6.1 now mandate a script inventory, real-time monitoring, and alerts for unauthorized changes.

CSPs, crawlers, and agents might tick the compliance box, but attackers easily slip past them.

WITH CSIDE

Reduce audit prep time with weekly PDF reports

Monitor scripts on payment pages with 100% coverage for 6.4.3

Continuous header checks fulfill 11.6.1 without burning IT resources

Protect users from e-skimming, Magecart attacks, and other client-side attacks

How PCI Shield Works

Script Inventory

Scanning...

Script Inventory Full script visibility on all pages (including payment pages for 6.4.3)

payment-form.js

const form =

document.querySelector('#pay');

form.addEventListener('submit', (e) => {

processPayment(e.data);

});

</script>

Tamper Detection Instant alerts for unauthorized changes (11.6.1) and script modifications

ScriptsExecution

Monitoring

Script Security Visibility into code execution with built-in blocking for malicious scripts

PCI Compliance

Weekly

Jan 8 – Jan 15, 2026

Scripts Verified

Changes

Threats

11.6.1 Compliance100%

6.4.3 Compliance100%

Generating report...

Weekly Reports Automated compliance reports to your inbox.

Full 6.4.3 & 11.6.1 Coverage with One Tool.

This pre-recorded demo shows how quickly you can comply with PCI DSS 6.4.3 & 11.6.1 using cside

Why QSAs recommend cside:

PCI-specific dashboard to easily report on 6.4.3 & 11.6.1

DOM-level, time-based, and dynamic threat detection

Validated controls to pass the audit confidently

Trusted by enterprise security & compliance teams:

"cside's product was exactly what we were looking for at a fraction of the price that competitors were offering. It's helped us meet PCI compliance goals that previously seemed a bit overwhelming."

Software Developer, Anonymized Review on Sourceforge

By checking this box, you consent to receive communications from cside

Choose Your Security Approach

Select the method that best fits your security needs and technical requirements.

Script Method

Easiest

We check script behaviors in the browser and fetch the scripts on our side. We don't place ourselves in the path of a script unless you explicitly ask us to.

Pros

Easy to implement
No performance impact
Able to block malicious scripts
Deep security coverage for common client-side attacks

Implementation

→ Install a lightweight script on the pages you want to protect.

Scan Method

Fastest

cside scans your website with an external crawler. Your scripts are compared against threat intel feeds gathered by thousands of other websites to identify compromised vendors or vulnerabilities.

Pros

Lowest cost
No-code setup without installation into your codebase

Cons

• Static scans have very limited security coverage
• Some QSAs may not accept scanners as a valid control for 6.4.3 & 11.6.1 as they do not have the ability to block scripts.

Implementation

→ Input a list of your domains and schedule your scans.

Designed for Teams Facing PCI Challenges

eCommerce

protect every checkout and maintain great acquirer relationships.

Payment Service Providers

offer compliant, value-add security to thousands of merchants.

Airlines & Transit

Complex booking flows and high-value tickets increase attack risk.

Hospitality

Credit cards used for travel are prime targets due to higher limits.

Why cside Outperforms Alternatives

cside delivers advantages traditional tools can't match.

vs. Scanner Based Solutions	vs. Content-Security Policy (CSP)	vs. Client-Side Agents
Sees real user behavior, not sanitized crawler views	Monitors script behavior, not just sources	Multi-layer security to prevent JS detection bypassing
Catches attacks aimed at specific segments	Detects breaches at trusted third-party providers	Script contents fetched afterwards for deep inspection
Detects threats between periodic scans	Handles dynamic scripts CSPs can't control	Future-proof against evolving techniques

Resources to Support Your Compliance

WEBINAR

cside & BARR Advisory: What Auditors Expect to See for PCI 6.4.3 & 11.6.1

During the Q&A we addressed:

What can I do if I have less than 30 days to set up my deployment?
I'm using a scanner that monitors my site, no code or installation required. Am I covered?
Do these PCI mandates require us to block attacks, or simply detect and alert on them?

WEBINAR

cside & VikingCloud: PCI Compliance 4.0.1, A Practical Implementation Guide

During the session we touched on:

Why compliance ≠ security
I use Stripe. Am I safe?
Could we have suffered a client-side attack without knowing it?
SAQ A merchants are not exempt from real risks

BLOG

How to Comply with PCI DSS 4.0.1 Requirements 6.4.3 & 11.6.1

This article goes in depth into:

6.4.3 & 11.6.1 requirements
The cost of building internally
Is CSP + SRI enough? What counts as sufficient controls?
How do I make sure I'm "not susceptible to attacks"?

Your Partner for Web Security

We're one message away

As your partner for web security, we want you to be able to reach us easily. Every customer gets 1:1 access to our team over Slack and Microsoft Teams. We respond in minutes, whether you have a feature request, questions, or ideas.

Shared Slack or Microsoft Teams channel for every customer

Direct access to our security experts

Easy conversational support

Response times in minutes, not days

FAQ

Frequently Asked Questions

View all FAQs

Payment page script management is the focus of 6.4.3. It requires you to authorize every script, ensure script integrity, and keep a complete inventory with a written justification for why each script is important. 11.6.1 mandates you to have continuous monitoring to detect unauthorized changes to HTTP headers and payment page content, including alerts sent to personnel and weekly evaluations.

It is the latest version of the Payment Card Industry Data Security Standard with the aim of protecting cardholder data via strict security monitoring requirements. As long as your business processes, stores, or transmits credit card data, you must comply with these regulations to avoid hefty fines, higher insurance rates, and potential business disruption. This standard is applicable to all merchants, processors, acquirers, and service providers handling payment card data. Depending on your transaction volume and the severity of any breaches, failure to comply can result in fines ranging from thousands to millions of dollars.

Active and constant monitoring is required for 6.4.3, while a weekly monitoring, or at the frequency defined in your organization's targeted risk analysis, is required for 11.6.1. But, since cyberattacks happen in real-time at any moment, continuous monitoring is the best solution.

Penalties vary, but range from $5,000 to $500,000 per incident. This is based on your payment processor and transaction volume. Aside from fines, you may also face increased transaction fees, higher insurance premiums, loss of payment processing privileges, and high costs from data breach remediation and lawsuits. A payment card data breach exceeds $4 million on average when you include forensic investigations, legal fees, customer notifications, and business disruption.