PCI DSS 6.4.3 & 11.6.1 Solutions Compared (2026)
PCI DSS 6.4.3 and 11.6.1 Compliance Solutions Compared: Reflectiz, c/side, Feroot, Jscrambler, Source Defense, and Cloudflare (2026)
TL;DR
- PCI DSS requirements 6.4.3 and 11.6.1 became mandatory on March 31, 2025 under PCI DSS v4.0.1. You must inventory and justify every payment page script, verify its integrity, and detect unauthorized changes to scripts and HTTP headers as received by the consumer browser.
- Six purpose-built solutions dominate evaluations: Reflectiz, c/side, Feroot, Jscrambler, Source Defense, and Cloudflare Client-Side Security Advanced.
- The core architectural divide is where the tool runs. Agent, tag, and proxy tools put code inside your payment environment. Reflectiz is the only fully remote solution: no code changes, no agent, and zero access to payment data, session data, or PII.
- Reflectiz is a Principal Participating Organization (PPO) in the PCI Security Standards Council, has been independently assessed against both requirements by Integrity360 Europe, a PCI QSA Company and Global Executive Assessor Roundtable member, deploys in under 24 hours, and is the only vendor in this comparison with published customer audit outcomes: zero observations across every published case study, including Level 1 assessments.
- Neither 6.4.3 nor 11.6.1 requires script blocking. They require inventory, justification, integrity verification, and change detection with alerting. Buy for what the standard demands and for what your QSA will accept as evidence.
Contents
- What PCI DSS 6.4.3 and 11.6.1 Require
- Comparison Table: PCI DSS 6.4.3 and 11.6.1 Solutions
- The Real Architectural Divide: Code on the Page vs. No Code at All
- Vendor Profiles
- Detection vs. Blocking: What the Standard Actually Requires
- The SAQ A Consideration
- How to Choose
- What Verified Reviewers and Independent Sources Say
- Watch: PCI DSS 6.4.3 and 11.6.1 in Practice
- Get Audit-Ready Before Your QSA Arrives
What PCI DSS 6.4.3 and 11.6.1 Require
Requirement 6.4.3, payment page script management. Every script loaded and executed in the consumer’s browser on payment pages must be:
- Authorized: explicitly approved by the organization
- Integrity-assured: verified as untampered
- Inventoried: listed with a written business or technical justification
Requirement 11.6.1, unauthorized change detection. You must deploy a mechanism that detects and alerts on unauthorized modifications to security-impacting HTTP headers and the contents of payment pages, as received by the consumer browser. Checks must run at least every seven days, or more often if your targeted risk analysis requires it.
The phrase “as received by the consumer browser” matters. Server-side scanning is not enough. You need visibility into what actually renders for the customer, which can differ from what your server hosts, especially during a supply chain compromise or CDN-level injection. The risk is not hypothetical: the 2024 Polyfill.io supply-chain attack injected malicious code into scripts trusted by more than 100,000 sites.
The scale of the problem is why automation is the default answer. Reflectiz research across 4,700 monitored websites found that roughly 30% of third-party scripts change within two weeks of deployment, and more than half of third- and fourth-party applications access sensitive data with no documented business justification. Tracking that manually across every payment page is not a realistic weekly task for any security team.
Comparison Table: PCI DSS 6.4.3 and 11.6.1 Solutions
Capabilities below reflect publicly documented product architectures and published customer outcomes as of 2026. Confirm specifics with each vendor for your deployment context.
| Capability | Reflectiz | c/side | Feroot | Jscrambler | Source Defense | Cloudflare CSS Advanced |
|---|---|---|---|---|---|---|
| Architecture | Fully remote, agentless | Proxy between scripts and browser | On-page JS tag + CSP | Tag or agentless scan | On-page tag, behavior isolation | Network layer (CDN) |
| Code changes required | No | Yes | Yes | Yes (for full protection) | Yes | Requires Cloudflare onboarding |
| Access to payment/session data | None | Yes | Yes | Yes | Yes | Yes (traffic proxied) |
| iFrame + 4th-party script detection | Full | Limited | Limited | Limited | Limited | Limited |
| Covers 6.4.3 and 11.6.1 | Yes | Yes | Yes | Yes | Yes | On paid Advanced add-on only |
| AI-assisted justifications | Yes (up to 90% less manual work) | Yes | Behavioral baselines | Yes (AI Assistant) | Adaptive engine | LLM-assisted detection |
| Policy-based auto-approval | Yes (Smart Approvals) | No | No | No | No | No |
| Multi-site bulk approval | Yes | No | No | No | No | Per-zone |
| Aggregated multi-site QSA report | Yes | No | Partial | Partial | No | No |
| Real-time script blocking | Detection-first; blocking available via Reflectiz platform | Yes | Detection + alerts | Yes (agent mode) | Yes | Via WAF |
| Independent QSA assessment of the solution | Yes: Integrity360, PCI QSA and GEAR member¹ | Yes: VikingCloud technical review¹ | Not published | Not published | Yes: CoalFire + VikingCloud reviews¹ | PCI evaluation whitepaper |
| PCI SSC status | Principal Participating Organization | Not listed | Not listed | Principal Participating Organization | Principal Participating Organization | Not listed |
| Published customer audit outcomes | Zero observations in all published cases | Not published | Not published | Not published | Not published | Not published |
| Verified user rating | 4.7/5, 31 reviews (G2) | See G2 | See G2 | See G2 | See G2 | Bundled (no isolated rating) |
| Deployment time | Hours to 24 hours | Under a day (tag) | Days to weeks | Days to weeks | Days to weeks | Fast if already on Cloudflare |
| Site performance impact | None | Present (proxy/tag) | Present (tag) | Present (agent) | Present (tag) | Present (proxy) |
| Free entry point | 30-day free trial, self-serve URL submission | Free self-serve account | Demo/quote | Demo/quote | 30-day free trial | Free tier (not compliance-sufficient) |
¹ QSA solution assessments and technical reviews evaluate platform capabilities against the requirements. None constitutes a formal PCI DSS certification or compliance determination for a specific customer environment.
The Real Architectural Divide: Code on the Page vs. No Code at All
Most comparisons sort these tools into “scanner,” “agent,” and “proxy.” That framing misses the question your risk team will actually ask: does the compliance tool itself become part of your cardholder data environment?
- On-page tools (Feroot, Source Defense, Jscrambler agent mode): a JavaScript tag runs in the consumer’s browser alongside payment scripts. Strong runtime visibility, but the tag is one more third-party script on the page 6.4.3 exists to police, and it can observe the payment session.
- Proxy tools (c/side): the platform sits between third-party scripts and the browser, seeing every payload in real time. Powerful, but all script traffic, including on payment pages, routes through the vendor’s infrastructure.
- Network-layer tools (Cloudflare): monitoring rides on the CDN. Convenient if you already run Cloudflare; a major infrastructure migration if you don’t.
- Fully remote (Reflectiz): synthetic user monitoring scans payment pages from the outside, exactly as a real visitor’s browser receives them, including iFrame-embedded and fourth-party scripts. No agent, no tag, no proxy, no access to transactions, sessions, or PII, and zero page performance impact.
This was the deciding factor for Apexx Global, a UK payment orchestration platform subject to Level 1 PCI DSS. Its Head of Information Security selected Reflectiz specifically because no agent-based alternative could monitor payment pages without access to transaction data. Deployment took under 24 hours. The Level 1 audit produced zero observations.
The “periodic crawler” objection, answered. Agent and proxy vendors — cside’s comparison among them — argue that external scanners are periodic crawlers with blind spots: they miss session-specific or geo-targeted scripts, and a sophisticated attacker can serve a clean page to a known scanner IP while skimming real users. It is the same limitation flagged in the ISACA analysis that cside cites. The critique is fair against basic periodic crawlers. It does not describe Reflectiz.
Reflectiz is continuous synthetic monitoring, not a periodic crawl. A proprietary remote browser explores each page the way a real visitor would, executing checkout and authenticated journeys, and observes runtime behavior after page load, logging JavaScript execution, form-field access, and outbound data flows for every script, including dynamically injected content, iFrame-embedded scripts, and fourth-party code loaded several vendor relationships deep. Because it baselines what each script does rather than what its file hash is, it catches a trusted script that was silently swapped at the vendor the moment its behavior deviates, the exact case where hash checks and source allowlists both pass. And when enforcement is wanted alongside detection, Reflectiz offers client-side blocking at the platform level. It delivers the coverage QSAs increasingly ask about without adding attack surface to the page.
“Monitoring must occur in real-time as the page is constructed and JavaScript is interpreted in the consumer’s browser.”
— Stuart Golding, veteran PCI DSS consultant with ~15 years advising retailers including WH Smith, Sainsbury’s, and Argos, interviewed by Reflectiz
Vendor Profiles
Reflectiz PCI Module
Architecture: fully remote and agentless. You submit payment page URLs; monitoring begins within hours. No code changes, no developer involvement, no access to payment data.
How it automates 6.4.3: continuously updated inventory of every script on payment pages, including third-party, fourth-party, and iFrame-embedded scripts. Built-in AI drafts an audit-aligned business justification for each script, which reviewers accept, edit, or override, cutting manual documentation effort by up to 90% according to Reflectiz customer data. Smart Approvals lets teams define acceptable script behaviors once; compliant updates are then auto-approved, and only true anomalies surface for human review. Bulk Approval propagates identical approvals across every site and checkout page in one action.
How it automates 11.6.1: continuous monitoring of HTTP response headers and script content, real-time alerts on deviation, timestamped evidence logs written the moment a change is detected, and automatic suspension of a changed script’s approval status pending re-review.
QSA readiness: Reflectiz has been independently assessed by Integrity360 Europe, a PCI Qualified Security Assessor Company and member of the PCI SSC Global Executive Assessor Roundtable (GEAR). Integrity360 reviewed the platform against the technical and procedural requirements of 6.4.3 and 11.6.1 and concluded that, correctly deployed within a GRC program, it can be effective in supporting compliance with both requirements, describing the approach as a materially more efficient route to compliance than manual or static-policy methods. The full assessment is available as a white paper. Reflectiz is also a Principal Participating Organization in the PCI Security Standards Council, the highest tier of industry participation, contributing directly to Technology Guidance Groups shaping the standard. The PCI Dashboard exports one-click evidence aligned with the examine, observe, and interview procedures in PCI DSS 4.0.1 guidance, plus an Aggregated Report consolidating all monitored sites into one export, and integrates with Splunk, Jira, and any SIEM or SOAR platform via REST API.
Integrity beyond file hashes: a key point in the Integrity360 assessment is how Reflectiz verifies script integrity. Hash comparison tells you a file changed, but vendors change files legitimately every day, and an attacker who compromises the vendor replaces the file with a new, valid hash. Reflectiz baselines what each script does at runtime: which DOM elements it touches, which form fields it reads, where it sends data. A trusted script that is silently swapped at the vendor and starts reaching for card data triggers an alert the moment its behavior deviates, regardless of how legitimate the file looks.
Published outcomes:
| Customer | Result |
|---|---|
| Apexx Global (Level 1) | Zero observations, deployed in under 24 hours, zero transaction data accessed |
| Village Roadshow | 700+ scripts across four sites approved, two-day deployment, zero findings |
| lastminute.com (50+ markets) | QSA approved the approach without caveats before selection; zero issues flagged |
| Broadway Gaming (Level 1) | Passed first mandatory 4.0.1 audit with zero observations; AI justifications turned days of documentation into an afternoon |
Entry point: 30-day free trial via self-serve URL submission. Available standalone or as part of Reflectiz Security Hub, which extends monitoring beyond payment pages to the full web surface.
Best fit: organizations that cannot or will not add code to payment pages, multi-brand and multi-site merchants, regulated businesses where the compliance tool itself must not touch payment data, and teams that want audit evidence QSAs have already accepted at Level 1.
c/side PCI Shield
Architecture: proxy-based; the platform sits between third-party scripts and the browser, combined with an AI analysis layer and scanning. 6.4.3: automated inventory, AI-generated justifications, three-layer script analysis (AI, hash comparison, threat intelligence). 11.6.1: continuous header logging and change alerts, with the ability to block suspicious scripts. Validation: VikingCloud conducted a technical review confirming the solution can support compliance when deployed correctly (not a formal PCI DSS certification). Entry point: publicly listed pricing from $99/month and a free self-serve account. Best fit: solo developers, smaller merchants, and agencies wanting transparent pricing and self-serve deployment, and teams comfortable routing payment page script traffic through a vendor proxy.
Feroot PaymentGuard AI
Architecture: on-page JavaScript tag plus CSP header. 6.4.3: simulated user interactions surface conditionally loaded scripts; approval workflows generate QSA-aligned justifications; behavioral baselines validate integrity over time. 11.6.1: real-time monitoring of script activity and headers with alerts to Slack, Teams, PagerDuty, and SIEM/GRC integrations. Differentiator: operational simplicity after tag deployment; claims up to 95% reduction in audit prep time. Best fit: teams wanting hands-off operations at enterprise scale and comfortable with an embedded tag on payment pages.
Jscrambler Client-Side Protection and Compliance
Architecture: hybrid; agentless scanning for fast inventory, agent-based deployment for behavioral monitoring and active blocking. 6.4.3: AI Assistant analyzes scripts and drafts justifications, reducing approval workload by up to a reported 90%. 11.6.1: real-time tamper detection with form fencing that restricts third-party access to sensitive fields. Standards depth: CTO Pedro Fortuna sits on the PCI SSC Board of Advisors; Jscrambler is a PPO. Offers a Delegated Compliance managed service. Best fit: organizations that also need first-party JavaScript obfuscation, or want the authorization workflow fully outsourced.
Source Defense Protect
Architecture: on-page tag with behavior-based isolation; scripts run in controlled environments with Redacted or Isolated modes limiting what they can access. 6.4.3: automated inventory with justification management and integrity monitoring. 11.6.1: continuous behavior-based monitoring that adapts to new threats without manual rule tuning. Standards depth: founded 2014, PPO with the PCI SSC, member of the PCI Board of Advisors, reviewed by CoalFire and VikingCloud, protects 1,000+ global brands. Best fit: enterprises prioritizing active constraint of what authorized scripts can do, not just detection.
Cloudflare Client-Side Security Advanced
Architecture: network-layer monitoring on Cloudflare’s CDN with ML and LLM-assisted detection; formerly Page Shield. Coverage: the paid Advanced add-on supports 6.4.3 and 11.6.1; the free tier does not include the monitoring, alerting, or reporting needed for compliance. Constraint: effectively limited to organizations already routing traffic through Cloudflare; adopting it otherwise means a full infrastructure migration to add PCI script monitoring. Best fit: existing Cloudflare customers who want compliance coverage bundled into infrastructure they already run.
Detection vs. Blocking: What the Standard Actually Requires
Some vendors position real-time blocking as the dividing line between “real” solutions and everything else. Read the requirements: 6.4.3 mandates authorization, integrity, and a justified inventory. 11.6.1 mandates detection of and alerting on unauthorized changes. Neither mandates blocking, and QSAs assess evidence of inventory, justification, and change detection, not blocking capability.
Blocking has real security value, and Reflectiz offers blocking capabilities at the platform level for customers who want enforcement alongside detection. But for the compliance decision, the question that determines audit outcomes is different: can the tool produce complete, timestamped, QSA-acceptable evidence, continuously, across every payment page? That is where independent assessment and published audit outcomes matter more than feature checklists. Integrity360, a PCI QSA and GEAR member, assessed Reflectiz against both requirements and judged it a materially more efficient route to compliance than manual or static-policy approaches, and across every published Reflectiz PCI case study the audit result is the same: zero observations.
The SAQ A Consideration
The January 2025 SAQ A update removed 6.4.3 and 11.6.1 for merchants that fully outsource payments via iFrames, but added a harder condition: you must confirm your site is not susceptible to script-based attacks. PCI SSC FAQ #1588 clarifies that one accepted way to confirm this is applying techniques such as those in Requirements 6.4.3 and 11.6.1. In practice, the new SAQ A demands the very monitoring it was meant to spare you. Establishing and sustaining that eligibility requires full-site script visibility, including iFrame coverage that most on-page tools cannot deliver, because their tags do not run inside hosted payment iFrames. Reflectiz monitors the entire rendered page context, including iFrame content from hosted payment providers, and Integrity360’s assessment states that correct implementation of the Reflectiz platform may help merchants meet the SAQ A script-attack eligibility criteria.
How to Choose
| If you need… | Look at… |
|---|---|
| Zero code on the page, zero access to payment data, 24-hour deployment | Reflectiz |
| Multi-site compliance with one aggregated QSA report and bulk approvals | Reflectiz |
| iFrame and fourth-party coverage QSAs increasingly request | Reflectiz |
| Published pricing and a free self-serve tier | c/side |
| Active behavior isolation of third-party scripts | Source Defense |
| First-party code obfuscation plus compliance in one vendor | Jscrambler |
| Fully managed authorization workflow | Jscrambler (Delegated Compliance) |
| Compliance bundled into existing CDN infrastructure | Cloudflare |
| Hands-off tag-based monitoring at enterprise scale | Feroot |
All six vendors can get you to compliance. The differences that decide audits are architectural: where the tool runs, what data it can access, how complete its script coverage is, and whether its evidence has already survived QSA scrutiny. In fairness, one rival genuinely leads on buyer experience: c/side is the only tool here with public per-month pricing and instant self-serve signup, which smaller teams will value.
What Verified Reviewers and Independent Sources Say
Vendor claims are one thing; third-party evidence is another. Reflectiz holds a 4.7/5 rating across 31 verified reviews on G2 in the Web Security category, and is listed independently on software directory Slashdot/SourceForge with 33 ratings. PCI DSS 6.4.3 and 11.6.1 are the single most common use case cited in those reviews. A representative sample:
“Reflectiz made our PCI DSS 4.0.1 compliance seamless, especially with requirements 6.4.3 and 11.6.1. The onboarding was incredibly fast — less than 24 hours from providing details to having a working dashboard.” — Deepak Kumar R., Head of Information Security (verified G2 review)
“We leveraged Reflectiz for their PCI 6.4.3 and 11.6.1 capabilities and have been able to keep track of all of the scripts, domains and headers on our merchant sites with ease.” — Tim G., Head of Security (verified G2 review)
“Compliance with PCI DSS v4, specifically points 6.4.3 and 11.6.1. We would not be able to pass the certification without their compliance reports.” — Alexis M., Cloud Architecture Lead (verified G2 review)
An independent PCI consultant’s view reinforces the fit for merchants weighing deployment models:
“Personally, I tend to favor solutions that are least intrusive, both in terms of cost and implementation … organizations should explore alternatives like Reflectiz.” — Stuart Golding, veteran PCI DSS consultant, interviewed by Reflectiz
Watch: PCI DSS 6.4.3 and 11.6.1 in Practice
Two Reflectiz sessions put these requirements in a real-world context — one merchant’s compliance journey, and a cross-industry panel on where accountability actually sits.
Learning from Abercrombie & Fitch: the final push to PCI DSS v4. Reflectiz CEO Idan Cohen and A&F Director of Risk Kevin Heffernan walk through how the retailer met the new payment-page script requirements (6.4.3 and 11.6.1) — the pitfalls they hit and the tips that made compliance manageable.
Beyond PCI DSS Compliance: Who Owns Payment Risk in 2026. An executive panel with the PCI Security Standards Council (Una Dillon), APEXX Global, Domino’s UK & Ireland, and Naked Wines on the accountability gap that certification alone cannot close.
Get Audit-Ready Before Your QSA Arrives
The Reflectiz PCI Module delivers continuous payment page monitoring, AI-drafted justifications, Smart Approval workflows, and one-click QSA evidence, deployed in hours with no code changes and no access to payment data.
FAQs
Can CSP and SRI alone satisfy requirement 6.4.3?
Only partially. CSP controls where scripts load from, not what they do, so a compromised trusted script passes through. SRI hashes break on every legitimate update to dynamic scripts. Neither generates the inventory, justification, or audit evidence the requirements demand.
Do 6.4.3 and 11.6.1 apply to me if I use a third-party hosted checkout or iFrame?
Possibly, and often in a way people underestimate. The January 2025 SAQ A update removed 6.4.3 and 11.6.1 for merchants who fully outsource payments via iFrame, but it added a condition: you must confirm your site is not susceptible to script-based attacks. PCI SSC FAQ #1588 indicates that applying techniques like those in 6.4.3 and 11.6.1 is one accepted way to confirm this, so the monitoring you thought you avoided is frequently still needed on the parent page that hosts the payment iFrame.
Do I still need monitoring under the new SAQ A?
Most likely. SAQ A-eligible merchants must now confirm their site is not susceptible to script-based attacks, which in practice requires continuous script monitoring, including of the parent page hosting the payment iFrame.
Do PCI DSS 6.4.3 and 11.6.1 require script blocking?
No. 6.4.3 requires script authorization, integrity verification, and a justified inventory. 11.6.1 requires detection of and alerting on unauthorized changes to payment page content and HTTP headers. Blocking is a security enhancement, not a compliance requirement.
Does an external scanner miss scripts that only load for certain users?
It depends on the type of scanner. A basic periodic crawler can miss session-specific or geo-targeted scripts, and a sophisticated attacker can serve a clean page to a known scanner IP while skimming real users. Continuous synthetic monitoring avoids that gap by simulating real user journeys and observing the fully rendered page after load, including dynamically injected, iFrame-embedded, and fourth-party scripts. When evaluating any remote tool, ask whether it performs periodic crawls or continuous behavioral monitoring, since that distinction determines coverage. Reflectiz uses the latter approach.
Does the compliance tool itself create PCI or privacy risk?
It can, depending on architecture. Any agent, tag, or proxy places a third-party component inside the payment environment with potential visibility into the payment session, and your assessment scope must account for it. A fully remote tool that never touches payment data, session data, or PII removes that consideration. This trade-off is worth weighing directly for each vendor; for example, Apexx Global’s security team cited it as the reason they chose a remote solution over agent-based alternatives.
How much do PCI DSS 6.4.3 solutions cost?
c/side publishes pricing from $99/month. Feroot, Jscrambler, Source Defense, and Cloudflare’s Advanced add-on are quote-based. Reflectiz offers tiered plans positioned for mid-size and enterprise organizations, with a 30-day free trial requiring only payment page URLs to start.
How often do the 6.4.3 and 11.6.1 checks need to run?
Requirement 11.6.1 sets a minimum cadence of at least once every seven days, or more frequently if your targeted risk analysis calls for it. Because third-party scripts change often, most organizations move to continuous monitoring rather than manual weekly checks; that also produces the timestamped evidence a QSA expects to see.
What are PCI DSS requirements 6.4.3 and 11.6.1?
Both govern the security of scripts on payment pages under PCI DSS v4.0.1. Requirement 6.4.3 covers payment page script management: every script that loads in the consumer’s browser must be authorized, verified for integrity, and inventoried with a written business or technical justification. Requirement 11.6.1 covers change detection: you must deploy a mechanism that detects and alerts on unauthorized modifications to payment page content and security-impacting HTTP headers, as received by the consumer’s browser.
What is the fastest way to comply with PCI DSS 6.4.3 and 11.6.1?
A fully remote solution is fastest because it requires no code changes or developer involvement. Reflectiz customers are typically fully operational within 24 hours of submitting payment page URLs. Tag-based tools deploy in under a day of engineering work; agent and proxy tools typically take days to weeks including change management.
When did 6.4.3 and 11.6.1 become mandatory?
They became mandatory on March 31, 2025 under PCI DSS v4.0.1. Before that date they were best-practice recommendations; after it, they are enforceable requirements that a QSA will assess. If you have not yet implemented script inventory, justification, and change detection on your payment pages, you are already past the deadline.
Which PCI DSS 6.4.3 vendors have independent QSA assessments?
Reflectiz has been assessed by Integrity360 Europe, a PCI Qualified Security Assessor Company and PCI SSC Global Executive Assessor Roundtable member, which reviewed the platform against Requirements 6.4.3 and 11.6.1 and found it can be effective in supporting compliance when correctly deployed. c/side and Source Defense have undergone QSA technical reviews by VikingCloud (and CoalFire for Source Defense). None of these assessments constitutes a formal PCI DSS certification. Reflectiz, Jscrambler, and Source Defense are also Principal Participating Organizations in the PCI Security Standards Council. Reflectiz is the only vendor in this comparison with published customer audit outcomes as well: zero observations in every published case, including Level 1 assessments where the customer’s QSA approved the approach before purchase.
Subscribe to our newsletter
Stay updated with the latest news, articles, and insights from Reflectiz.
Related Articles
AI Has Changed The Web.
Are You Ready for What’s Next?
Third-party code shifts by the hour. Supply-chain compromises strike without warning. AI-driven web attacks now evolve faster than traditional security can ever keep up.
Reflectiz delivers the continuous, real-time visibility needed to expose the risks traditional tools miss entirely.
Zero code changes. Zero access to your data. Ultimate peace of mind.