Requirement 6.4.3 in PCI DSS v4
The PCI Security Standards Council introduced PCI 6.4.3 to address the growing threat of JavaScript skimming attacks, which target e-commerce businesses by compromising payment page scripts. They’ve declared war on dangerous vulnerabilities in poorly coded websites, and PCI 6.4.3 requires website owners to manage every one of the payment page scripts that are loaded and executed in the consumer’s browser. At the moment it’s best practice, but from March 31, 2025, it will be mandatory, so now is the time to ensure you meet its specific requirements, which are:
Authorization: ensure each script on the payment page is authorized.
Integrity: ensure the integrity of each script is verified. This is about preventing code tampering.
Inventory: maintain an inventory of all scripts with written justification for why each one is necessary. It’s not that you can’t add things like pixels, it’s just that QSA auditors want to see a good reason recorded in each case.
These measures in PCI 6.4.3 will protect your customers’ sensitive payment card information against fraud and distance your organization from the twin threats of non-compliance penalties and damaging legal action by consumers. Unfortunately, though, these looming requirements add to your security and reporting burden. Two ways of dealing with these challenges are using Sub Resource Integrity (SRI), and a Content Security Policy (CSP). Let’s examine each one.
PCI 6.4.3: SRI
This technique allows the customers’ browser to confirm that scripts have not been tampered with. If a script looks like it’s been altered then it gets blocked immediately, but to make SRI work you need to sign and add a cryptographic hash to every single script hosted on your website, and these days that could be upwards of 1000. You also need to manage a dynamic list of all third-party and fourth-party scripts so that you can mark them as secure and be able to sign them promptly every time a new version is released.
This is difficult enough with your own scripts, but third parties might release a new version every day, especially with CI/CD pipelines, and if you can’t verify and sign every one of these releases it could make your payment page unusable. Forget just once and your customers will be heading elsewhere.
In practice, you are unlikely to be able to sign even 5% of your whole inventory. SRI is really best used for your own internal scripts – the ones you trust the most and have enough resources to maintain.
PCI 6.4.3: CSP
A Content Security Policy can limit which locations a customer’s browser can pull scripts from or send data to. The way it works is low-cost and straightforward. It relies on your dev teams adding a CSP HTTP response header to the webpage and then creating rules about scripts, media, forms, and so on. Actions that fall outside of these policies are blocked.
This approach can be very useful, but it has its limitations. You’ll need to use a blacklist and whitelist approach, which means deciding which domains to trust or exclude. You’re not controlling actions though; you’re granting blanket approval to selected domains, and the danger is that if an attacker manages to access one of these “trusted” domains they can make changes to it. It’s no coincidence that many notorious web skimming attacks exploited the CSP-approved status of trusted servers to inject malicious code.
The other problem with using a CSP is that managing policies, updating whitelists and blacklists, and approving non-risky changes to scripts is more than a full-time job, and even then, trusted third parties that could well have been manipulated themselves can still introduce security gaps that you can’t see.
Reflectiz PCI Dashboard
The Reflectiz PCI Dashboard is quicker, safer, and more effective than both of these approaches. As the name implies, it’s the part of the Reflectiz continuous web threat management solution that gathers the separate aspects of your PCI-DSS compliance efforts into one place for easy management.
The platform works remotely, with no need for extra embedded code that might slow down your website and spoil your customer experience, or make it less safe. The fact that it scans code behaviors from afar means it sees everything that they are up to.
It also maintains a complete and comprehensive list of all your third- and fourth-party scripts (no matter how many you have and how often they change) and it also includes explanations of why they are necessary – exactly as PCI 6.4.3 requires.
It scans all scripts and applications and issues alerts about any changes, even if they come from a trusted domain or an application that you would whitelist on a CSP.
The PCI Dashboard gives your security teams immediate visibility into what’s happening in your digital environment, but to avoid overloading them we added smart alerts. You can prioritize events and see all outcomes ranked from low-risk to critical to make risk-based mitigation quick and easy.
Get Access to a Personalized PCI Dashboard
Accelerate Compliance with Smart Approvals
Reflectiz’s intelligent approval system significantly reduces manual effort. By defining acceptable script behaviors, you can automate the approval process for compliant scripts, freeing up time for focused review of exceptions. This efficiency extends to managing multiple payment pages, ensuring streamlined compliance across your entire website.
Key Benefits:
- Rapid Script Approval: Quickly approve and justify individual script changes as needed.
- Automated Compliance: Streamline the process by defining and enforcing script behavior standards.
- Efficient Multi-Page Management: Simplify approvals for websites with multiple payment pages.
By combining these features, Reflectiz helps you meet compliance requirements (6.4.3 and 11.6.1) efficiently.
PCI 6.4.3 only asks you to provide this level of visibility and control on payment pages, but Reflectiz provides these deep insights across your entire website, protecting login details, sensitive chat information, post-authentication scans, and more, so with March around the corner, why not give it a try today?
Get Access to a Personalized PCI Dashboard
Subscribe to our newsletter
Stay updated with the latest news, articles, and insights from Reflectiz.
Your Website looks great!
But what’s happening behind the scenes?
Discover your website blind spots and vulnerabilities before it’s too late!