"One of the most important reasons we went with Reflectiz is that it doesn't need to know transaction details. That eliminated security and privacy concerns and third-party risk immediately."
Zero Audit Findings. No-Code Installation.
No Access to Payment Data.
Remote, agentless PCI DSS 4.0.1 compliance for requirements 6.4.3 and
11.6.1: deployed in 24 hours.
What the Reflectiz PCI Module Does
More than half of third- and fourth-party applications running on monitored sites access sensitive data with no documented business justification. PCI DSS v4.0.1 requirements 6.4.3 and 11.6.1 exist to close exactly that gap, and the Reflectiz PCI Module automates the work of meeting them.
The Reflectiz PCI Module is a purpose-built compliance solution for PCI DSS v4.0.1 requirements 6.4.3 and 11.6.1. It runs entirely remotely: submit a payment page URL, and it begins monitoring within hours (one day onboarding), and automates the work that consumes the most time before and during a QSA audit: script inventory, behavioral approval, business justification documentation, and compliance evidence generation.
Reflectiz is a Principal Participating Organization in the PCI Security Standards Council and works directly with the Council to shape evolving guidance. The module is available as a standalone solution or as part of the Reflectiz Security Hub.
PCI DSS v4.0.1 Requirements
How the PCI Module Works
Key Capabilities
Recognized at the top tier by the PCI Security Standards Council
As a PPO, Reflectiz contributes directly to PCI SSC Technology Guidance Groups, helps to shape ongoing updates of the Data Security Standard, and gains early visibility into emerging standards, keeping the Reflectiz PCI Dashboard aligned with every evolution of PCI DSS.
In April 2026, Reflectiz joined the PCI SSC’s Coffee with the Council podcast alongside BT Group and Salesforce to discuss the value of PPO participation, the findings of the State of Web Exposure 2026 Report, and how third- and fourth-party script risk is shaping the future direction of payment security standards. Brett Johnson, Reflectiz’s Americas lead, highlighted a striking pattern in the data: more than half of third- and fourth-party applications running on monitored sites access sensitive information with no documented business justification. This is the exact gap requirements 6.4.3 and 11.6.1 were designed to close.
What Customers Achieve
"Reflectiz gives us the visibility we lacked. If you're struggling with how to meet the new PCI DSS v4.0.1 requirements, Reflectiz is the answer. It removes the blind spots without disrupting your platforms or teams."
"Simplicity combined with effortless visibility. That's important in a company with hundreds of engineers. Reflectiz delivers that."
"If you have to meet PCI requirements, it's a no-brainer. PCI is hard, so it's a must."
Find the gaps before your QSA does
The Reflectiz and Integrity360 PCI Compliance Solution Assessment gives organizations an independent expert evaluation of their readiness for PCI DSS 4.0.1 requirements 6.4.3 and 11.6.1 — before their QSA finds the gaps first.
Reflectiz has partnered with Integrity360, one of the world’s leading cybersecurity service providers, to deliver a structured assessment that covers:
Whether your audit is six weeks out or six months away, this assessment gives your security and compliance teams the clarity to act with confidence, not react under pressure.
How Reflectiz Compares
Capability comparison across the five most commonly evaluated PCI DSS 6.4.3 and 11.6.1 solutions, based on publicly documented product architectures and published customer outcomes as of 2025–2026.
| Capability | Reflectiz | c/side | Jscrambler | Feroot | Source Defense |
|---|---|---|---|---|---|
| Deployment model | Agentless / fully remote | Proxy / agentless | Tag or agentless | On-page JS tag + CSP | On-page tag (behavior isolation) |
| Code changes required | No | Yes | Yes | Yes | Yes |
| Access to payment or session data | None | Yes | Yes | Yes | Yes |
| iFrame and 4th-party script detection | Full | Limited | Limited | Limited | Limited |
| Dedicated PCI DSS 6.4.3 / 11.6.1 dashboard | Yes | No | No | Partial | Partial |
| Policy-based auto-approval (define once, auto-approve) | Yes | No | No | No | No |
| Smart Approval (define once, auto-approve) | Yes | No | No | No | No |
| Bulk Approval across multiple sites | Yes | No | No | No | No |
| Aggregated multi-site compliance report | Yes | No | No | No | No |
| One-click QSA evidence export | Yes | No | Partial | Partial | No |
| SAQ A eligibility support, including iFrames | Yes | No | No | No | Partial |
| Deployment time | Hours to 24 hours | Days to weeks | Days to weeks | Days to weeks | Days to weeks |
| Site performance impact | None | Present | Present | Present | Present |
| PCI SSC status | Principal Participating Organization | Not listed | Principal Participating Organization | Not listed | Principal Participating Organization |
| Published audit outcomes | Zero observations across all published customer cases | Not published | Not published | Not published | Not published |
A note on agent-based architectures
Solutions that require agent or tag deployment introduce a third-party component into the payment environment, requiring teams to evaluate the agent itself as a compliance and privacy risk. This was the specific concern Apexx Global’s Head of Information Security cited as the reason for selecting Reflectiz over every agent-based alternative they evaluated.
The SAQ A Consideration
Updated SAQ A guidance gives eligible merchants a path to potentially simplify their compliance obligations, but only if they can affirmatively demonstrate that their entire website is protected from script-based attacks, including Magecart and web skimming. In effect, the new SAQ A now demands the very monitoring that it was meant to spare you.
Reflectiz provides the full-site script visibility, including the iFrame coverage that most tools cannot deliver, required to establish SAQ A eligibility and sustain it continuously between audit periods.
Security Beyond the Payment Page
PCI compliance PCI Compliance secures the payment page. It does not secure the rest of your web environment, and most client-side attacks don’t start at checkout. Reflectiz Security Hub provides continuous visibility and control across your full web surface, detecting malicious script activity, web supply chain risks, misconfigurations, and unauthorized data access. Reflectiz Privacy Hub gives compliance and legal teams visibility into how user data is accessed, collected, and shared across web properties, supporting alignment with GDPR, CCPA, HIPAA, and other privacy obligations alongside your PCI posture.
PCI DSS Additional Resources
Ready to Close Your PCI Gap?
The Reflectiz PCI Module gives security and compliance teams continuous payment page monitoring, audit-ready evidence, and Smart Approval workflows, deployed in hours, with no code changes and no access to payment data.
Reflectiz is a Principal Participating Organization in the PCI Security Standards Council. ISO 27001 certified.
FAQs
What is the Reflectiz PCI Module?
The Reflectiz PCI Module is a dedicated PCI DSS v4.0.1 compliance solution that automates script inventory management, unauthorized change detection, Smart Approval workflows, and QSA-ready evidence generation for requirements 6.4.3 and 11.6.1 — with no agent installation, no code changes, and no access to payment or user data.
Does the Reflectiz PCI Module require code changes or agent installation?
No. The Reflectiz PCI Module operates entirely via remote execution. No agent is installed, no JavaScript tag is deployed, and no access to the production environment is required. Organizations provide payment page URLs, and Reflectiz monitors them remotely.
How does Reflectiz fulfill PCI DSS requirement 6.4.3?
Reflectiz fulfills requirement 6.4.3 by maintaining a continuously updated inventory of every script on payment pages — including third-party, fourth-party, and iFrame scripts — and providing an individual approval and documented justification workflow for each, aligned with the examine, observe, and interview procedures in PCI DSS 4.0.1 guidance.
How does Reflectiz fulfill PCI DSS requirement 11.6.1?
Reflectiz fulfills requirement 11.6.1 by continuously monitoring HTTP response headers on payment pages and generating real-time alerts whenever an unauthorized change is detected.
Can Reflectiz generate the evidence my QSA needs?
Yes. The Reflectiz PCI Dashboard generates one-click compliance evidence exports covering script inventories, individual business justifications, approval status, domain change logs, user activity logs, and evidence logs — in formats aligned with PCI DSS 4.0.1 QSA examination procedures.
Has the Reflectiz approach been reviewed and approved by QSAs?
Yes. Multiple Reflectiz customers have confirmed that their QSAs reviewed and approved the Reflectiz approach without caveats.
What changed in PCI DSS v4.0.1, and why do requirements 6.4.3 and 11.6.1 matter now?
PCI DSS v4.0.1 made requirements 6.4.3 and 11.6.1 mandatory as of March 2025. Organizations need documented, continuous, and auditable controls — not point-in-time assessments.
How is Reflectiz different from agent-based or tag-based script monitoring tools?
Reflectiz operates entirely remotely with no code on the page, monitoring the rendered output including iFrames, fourth-party scripts, and dynamically injected content that tag-based tools cannot reach.
What are fourth-party scripts, and why does Reflectiz cover them?
Fourth-party scripts are JavaScript files loaded by your third-party vendors. Reflectiz inventories the full chain, including scripts that are two or three vendor relationships removed from you.
How long does deployment take?
Most organizations are fully operational within 24 hours of providing their payment page URLs. There is no agent to install, no code to deploy, and no developer involvement required — Reflectiz begins remote monitoring immediately after onboarding.
Does Reflectiz access payment data or user PII?
No. Reflectiz takes a remote, agentless approach with zero access to payment data, session information, or user PII.
Can Reflectiz handle multiple brands or payment pages?
Yes. Bulk Approval allows identical script behaviors to be approved across all sites in a single action.
What happens when a previously approved script changes?
Reflectiz detects behavioral deviations in real time and immediately alerts the security team. The change is flagged in the PCI Dashboard, the script’s approval status is suspended pending re-review, and a timestamped record of the change is added to the audit trail for QSA evidence.
How does Reflectiz support SAQ A eligibility?
Reflectiz provides full-site script visibility and continuous monitoring, enabling organizations to establish and sustain SAQ A eligibility.
What is the Integrity360 PCI Compliance Solution Assessment?
An independent expert evaluation covering gap analysis against requirements 6.4.3 and 11.6.1, available as a free gated download.
Can I try Reflectiz before committing?
Yes. Reflectiz offers a 30-day free trial with no installation, no agent, and no code changes required. You provide your payment page URLs and Reflectiz begins monitoring immediately — giving you a live view of your PCI DSS 6.4.3 and 11.6.1 posture within hours.
Does Reflectiz replace my QSA?
No. Reflectiz automates evidence collection and approval workflows but does not perform assessments or issue compliance certifications. It is designed to make your QSA’s job faster and easier by providing organized, timestamped, one-click evidence exports that satisfy requirements 6.4.3 and 11.6.1.
Does Reflectiz work with hosted payment pages and iFrame-based checkouts?
Yes. Reflectiz monitors the entire rendered payment page context, including iFrame content from hosted payment providers.