New March 2025 PCI DSS guidance

On March 10, 2025, the PCI Security Standards Council (PCI SSC) released a 32-page supplementary guidance document titled Payment Page Security and Preventing E-Skimming – Guidance for PCI DSS Requirements 6.4.3 and 11.6.1.

This document addresses the growing risks of web skimming attacks that target online merchants and payment pages. While requirements 6.4.3 and 11.6.1 already mandate security measures for payment scripts, this is the first time the PCI SSC has provided detailed guidance on how businesses can implement these measures effectively.

The document explains key security concepts, including script injection risks, monitoring techniques, and recommended best practices to prevent unauthorized tampering with payment page scripts.

Guidance, Not New Requirements

To clarify, this document does not introduce new requirements—it reinforces existing PCI DSS obligations with best practices and techniques. As the PCI SSC emphasizes, the guidance aims to help:

Qualified Security Assessors (QSAs)
Internal Security Assessors (ISAs)
Third-Party Service Providers (TPSPs)
Merchants

…ensure they are implementing effective security controls against web skimming threats.

Approaches for Managing Third-Party Scripts

The guidance outlines three primary approaches organizations can use to secure third-party scripts:

1. Internally Developed Tools

Companies can build custom security solutions that include:

Script allow-listing to restrict unauthorized scripts
Integrity verification (e.g., hashing) to detect tampering
Security logging to track script behavior

2. Commercial and Open-Source Solutions

There are numerous third-party technologies that provide:

Automated monitoring for script integrity
Behavioral analysis to detect anomalies
Policy enforcement for compliance

3. Hybrid Approaches

A combination of internal tools and external monitoring solutions offers the most comprehensive protection, enabling both proactive and reactive security measures.

Example: Solutions like Reflectiz integrate with hybrid models, offering agentless monitoring that tracks script behaviors without interfering with other security controls.

Webpage Monitoring: An Essential Security Layer

One of the most critical aspects of the guidance is webpage monitoring, which helps detect unauthorized or malicious script activities in real time.

Behavioral monitoring is essential:

“…checks real-world actions of scripts—for example, if they capture keystrokes, modify or access payment fields, or send data to unknown URLs. An alert or block can be triggered when a script’s behavior deviates from its authorized profile.” (PCI DSS Guidance, Page 19)

Two Common Webpage Monitoring Approaches

Agent-Based Monitoring

Inserts a monitoring script into the payment page
Can interfere with other scripts if not properly configured
May introduce performance overhead

Agentless Monitoring (Recommended by PCI DSS)

Observes script behavior externally
No modifications to the payment page
Detects suspicious changes without interfering

Why Agentless?
Many security providers—including Reflectiz—offer agentless solutions that continuously monitor real-time script behavior, helping businesses detect and respond to threats faster.

PCI DSS Requirement 11.6.1: The Role of Alerts

Another key takeaway from the guidance is the importance of real-time alerts:

“Rather than preventing every unauthorized change outright, the control ensures that if such changes happen, they are recognized and generate alerts so corrective actions can be taken promptly.” (PCI DSS Guidance, Page 11)

Why Not Just Block All Script Changes?

Websites are dynamic—blocking all changes could break functionality
PCI DSS emphasizes risk-based alerting instead of rigid blocking
Security teams must have the flexibility to evaluate and approve script changes based on risk tolerance

Best Practices for Effective Alerting:

Automated notifications for security teams
Behavior-based risk assessment
Smart approvals to streamline responses

Example: Solutions like Reflectiz learn from staff responses—allowing businesses to fine-tune their risk tolerance and automate approvals for trusted behaviors.

Strengthening Security Against E-Skimming

The new PCI DSS guidance provides practical strategies for merchants and security teams to combat e-skimming attacks.

Key Takeaways:

Secure third-party scripts using internal, commercial, or hybrid tools
Implement webpage monitoring to detect real-time threats
Use behavioral monitoring instead of relying solely on Content Security Policies (CSPs)
Adopt risk-based alerting to balance security and website functionality

Want to Strengthen Your PCI DSS Compliance?
Explore how Reflectiz and other security solutions can enhance your script security strategy. Learn more about best practices and compliance tools here.