Staying Ahead of PCI DSS Changes: Automated Script Monitoring for Safer Payment Pages

With new PCI DSS requirements taking effect on March 31, 2025, maintaining compliance just became more challenging for acquirers and merchants alike, but especially for merchants who typically use the SAQ A to verify their annual compliance. In fact, some of the latest changes around the eligibility for using this questionnaire and PCI DSS requirements 6.4.3 and 11.6.1 have caused some confusion in the market. As IXOPAY’s Chief Information Security Officer and a PCI ISA, I’d like to take this opportunity to clear up any misconceptions and provide a breakdown of the changes for ecommerce merchants to better understand these new compliance obligations.

But before I get into what’s happening, we have an exciting announcement that will help alleviate many of these concerns. Today, IXOPAY’s wholly owned subsidiary, Aperia Compliance, will offer our acquirers a Payment Script Monitor solution to help simplify the latest PCI requirements for their merchants. Payment Script Monitor directly addresses PCI DSS requirements 6.4.3 and 11.6.1, both aimed at preventing digital skimming attacks.

IXOPAY strives to help merchants achieve and maintain PCI compliance. We’ve most recently demonstrated this through our recent merger with Aperia Compliance and our continued investment in PCI compliance tools and resources. Now, we can also help acquirers like ISOs, payment gateways, payfacs, banks, and others track and manage the compliance status of merchants across their portfolios and prevent digital skimming attacks, which brings me back to what is changing for ecommerce merchants with PCI DSS v4.  

In response to the increasing number of digital skimming attacks, the PCI SSC has made changes to the eligibility criteria for the SAQ A, as well as the requirements in other SAQs used by ecommerce merchants, including the SAQ A-EP and SAQ D. These changes directly affect merchants who have ecommerce payment pages, as they are susceptible to these types of harmful script attacks.

What is Digital Skimming?

In digital skimming attacks, threat actors inject malicious code into a merchant website, targeting their checkout pages to scrape and harvest payment account data entered by consumers, such as the primary account number (PAN), card verification value (CVV2), expiration date, and other personally identifiable information (PII). In order to combat digital skimming and other types of malicious script attacks, the PCI Security Standards Council (SSC) added requirements 6.4.3 and 11.6.1 to PCI DSS v4. 

What Are Requirements 6.4.3 and 11.6.1? 

PCI DSS 6.4.3: Organizations must inventory all scripts executing on payment pages, ensure they are authorized, justified, and have integrity controls. 

PCI DSS 11.6.1: Requires organizations to detect and alert on unauthorized modifications to security-impacting HTTP headers and scripts that could lead to data exfiltration. This must be performed weekly at a minimum or at a frequency defined in the organization’s targeted risk analysis

The Bottom Line

To comply with PCI DSS requirements 6.4.3 and 11.6.1, ecommerce merchants must actively monitor their payment pages for malicious activity. This can be summarized as follows:

Merchants who use a payment processor’s embedded iframes to collect card data for purchases must confirm their payment page is not susceptible to script attacks and may choose to implement requirements 6.4.3 and 11.6.1, both of which are focused on protecting payment pages and checkout processes that use payment page scripts.

Merchants who use SAQ A and a third-party redirect to collect payments are no longer required to implement requirements 6.4.3 and 11.6.1.

Aperia’s Payment Script Monitor addresses these new compliance requirements by offering an automated solution that monitors scripts, alerting merchants of unauthorized modifications and ensuring ongoing compliance. With Payment Script Monitor, acquirers can attract more merchants and generate recurring revenue with premium compliance tools. 

How Payment Script Monitoring Works 

1. Simple Setup: An intuitive validation portal prompts merchants to load payment pages into the system for easy onboarding.
2. Baseline Inventory: The solution automatically creates a baseline inventory of scripts to streamline the process for merchants.
3. Script Authorization and Validation: Merchants are guided through script authorization and validation.
4. Continuous Monitoring: The solution monitors scripts to detect unauthorized changes and ensure compliance.
5. U.S.-Based Phone Support: If merchants have questions or experience issues, Aperia provides one-call resolution with assistance available in multiple languages.

Reduce Risk and Boost Profitability with Aperia Compliance

Payment Script Monitor from Aperia Compliance offers a cost-effective solution that not only enhances compliance but also supports business growth for acquirers by boosting profitability. Addressing PCI DSS requirements 6.4.3 and 11.6.1 within a single, seamless platform, it provides a comprehensive approach to security. Continuous monitoring and alert systems safeguard merchants' payment pages from malicious activity, significantly reducing risk. Its user-friendly design simplifies PCI DSS compliance, saving time and resources while ensuring a streamlined experience.