PCI DSS 4.0: Insights from Melbourne and Sydney Roundtables

As the March 2025 deadline for PCI DSS 4.0 compliance approaches, Australian businesses are intensifying efforts to align with the new standards. Our recent roundtables in Melbourne and Sydney shed light on the challenges and solutions related to key requirements, particularly 6.4.3 and 11.6.1.

Understanding Requirements 6.4.3 and 11.6.1

Requirement 6.4.3 mandates that all payment page scripts loaded and executed in the consumer’s browser are:

Authorised through implemented methods.
Ensured for integrity.
Documented with a maintained inventory and written justification for each script.

Requirement 11.6.1 focuses on deploying change and tamper detection mechanisms to alert personnel to unauthorised modifications of HTTP headers and payment page contents, with evaluations occurring at least weekly or as determined by risk analysis.

Recent Update on SAQ A Validation

A recent update to the Self-Assessment Questionnaire A (SAQ A) validation document has been announced. It is important to note that this does not introduce a change to the PCI DSS requirements themselves but rather an update to the validation document used by merchants validating against SAQ A. This clarification ensures that organisations relying on SAQ A maintain proper validation practices without altering compliance expectations under PCI DSS 4.0. It’s important that SAQ A merchants review the update carefully to align their security measures with the revised validation process.

Key Takeaways from the Roundtables

Increased Focus on Client-Side Security: We underscored the necessity of monitoring third-party scripts to prevent vulnerabilities like Magecart attacks, which involve injecting malicious code to steal payment data. This aligns with the research presented on malware trends observed by Turaco Labs in their ThreatView Ecommerce Security review for 2024; where attackers have increasingly shifted from traditional digital skimmers to more sophisticated loader malware, making proactive client-side security more critical than ever.
Challenges in Script Management: Maintaining an up-to-date inventory of all scripts and ensuring their integrity requires robust tools and processes, especially for businesses with complex web environments. Results from Reflectiz “State of Web Exposure 2025” shows that nearly half of third-party applications access sensitive user data unnecessarily, further underscoring the risks of unmonitored client-side activity and management.
Managing Weekly Approvals Efficiently: One of the most significant pain points discussed was the burden of managing approvals for script changes each week as required by 6.4.3, which without automation, can be time-consuming and prone to human error.

Division Between Security and Marketing Teams

Our discussions raised a common divide between security and marketing teams. Marketing departments often introduce additional risks by deploying tracking pixels and analytics tools that on the surface present strong business value —sometimes within sensitive areas like payment pages—without fully understanding the security implications (again echoed in “Reflectiz State of Web Exposure 2025” report which highlights how marketing teams frequently add tracking technologies that increase exposure risks).

Bridging this gap with clearer policies and automated security oversight is becoming essential for organisations aiming to maintain compliance while supporting business growth.

Gaining Visibility into 4th- and 5th-Party Scripts

We had some interesting examples in the room of the risks posed by 4th- and 5th-party scripts! Both those loaded by third-party services or indirectly through multiple layers of integrations.

By monitoring and mapping all active scripts within an organisation’s digital environment, businesses are not only aware of the direct third-party scripts they employ but also the hidden layers of dependencies that can be exploited by attackers. This visibility into 4th- and 5th-party scripts allows for:

Enhanced Security Posture: Detecting unauthorised or risky script behaviours before they lead to breaches.
Regulatory Compliance: Meeting PCI DSS 4.0 requirements by ensuring only authorised and documented scripts are running.
Operational Efficiency: Reducing the burden on IT teams by automating the tracking and validation of script activity.

Can we use a Firewall-Based Solution?

Many businesses assume that traditional firewall-based security solutions are sufficient for protecting payment environments, but the consensus was that these solutions have critical gaps when dealing with modern client-side security risks.

Key Limitations of Firewalls:

Lack of Client-Side Visibility: Firewalls primarily monitor network traffic and are ineffective at detecting threats that execute within the end-user’s browser.
Delayed Threat Detection: Signature-based detection methods often fail to identify novel or evolving attack techniques until after an incident has already occurred.
Limited Script Control: Firewalls do not offer fine-grained control over third-, fourth-, and fifth-party scripts, leaving businesses blind to potential security risks introduced by vendors and integrations.
Operational Complexity: Firewalls require constant tuning, rule updates, and manual maintenance, placing a significant burden on security teams.

Looking Ahead

The transition to PCI DSS 4.0 represents a significant shift towards enhanced client-side security. Businesses are encouraged to adopt solutions to not only achieve compliance but also to fortify their overall security posture. Proactive measures and the right tools are essential to navigating the evolving landscape of payment security effectively.

Reflectiz: A Smarter Approach to Compliance & Web Exposure

Reflectiz offers a platform designed to address these specific challenges efficiently:

Smart Approvals Mechanism: Managing approvals weekly can be a major operational burden. Reflectiz’s smart approvals mechanism largely automates and streamlines this process, reducing manual oversight while ensuring compliance with PCI DSS 4.0.
Agentless Deployment: Unlike traditional solutions requiring extensive integration, Reflectiz is an agentless solution, making it exceptionally fast to roll out and deploy. Businesses can start monitoring their web assets almost instantly, ensuring compliance readiness well ahead of the deadline.
Automated Tamper Detection: Continuous monitoring detects and alerts on unauthorised modifications, aligning with Requirement 11.6.1.
Streamlined Reporting: Generates compliance reports suitable for audits by PCI’s Quality Security Assessor (QSA), simplifying the compliance process.

Try our dedicated PCI Dashboard for 30 days – Free