Organizations across the payment card industry (PCI) often face challenges meeting evolving compliance standards. One of the most complex updates in the latest PCI DSS framework is Requirement 6.4.3, which focuses on change management and security validation. For e-commerce businesses especially, maintaining compliance requires careful planning, continuous monitoring, and adaptable security controls.
Is your organization prepared to comply with PCI DSS 6.4.3? Request a consultation with RSI Security to strengthen your compliance posture and protect sensitive payment data.
How to Comply with PCI Requirement 6.4.3
Organizations within the payment card industry (PCI) that handle credit card transactions and cardholder data (CHD) must comply with the PCI Data Security Standard (PCI DSS). While some requirements are straightforward, others, like PCI DSS Requirement 6.4.3, pose unique challenges. This particular control focuses on monitoring, restricting, and maintaining the integrity of payment scripts used across e-commerce environments.
To comply with PCI Requirement 6.4.3, organizations should understand:
- The official guidance provided by the PCI Security Standards Council for this control
- The technical specifications outlined within the PCI DSS framework
- The relationship between PCI 6.4.3 and other related requirements
- Additional compliance considerations, such as validation and formal assessments
Partnering with an experienced PCI compliance service provider can simplify this process. Expert advisory, control implementation, and governance support ensure your organization meets 6.4.3, and all other PCI DSS obligations, with confidence.
Recent Updates and Guidance for PCI 6.4.3
Following the release of PCI DSS 4.0, the Payment Card Industry Security Standards Council (PCI SSC) received numerous questions from merchants and service providers struggling to meet the updated requirements, particularly PCI DSS 6.4.3 and the related Requirement 11.6.1. In response, the Council formed a dedicated task force to address e-commerce compliance challenges within the payment card industry.
Their efforts led to the publication of an information supplement in March 2025, offering detailed guidance on both requirements. The document outlines how organizations can identify and mitigate risks associated with compromised or malicious payment page scripts.
The PCI SSC warns that supply chain attacks and script injection attacks are among the most significant threats. These attacks often originate through third-party service providers (TPSPs) and can be difficult to detect. Malicious actors may inject scripts that imitate legitimate payment fields or use double-entry forms to trick users into providing sensitive information.
The outcome of these attacks, often referred to as e-skimming, can be severe, leading to payment data theft, fraud, or even compliance violations. To prevent these risks, organizations must follow PCI 6.4.3’s technical and procedural controls carefully, ensuring all payment scripts are monitored, validated, and secured against tampering.
PCI 6.4.3 Specifications and Stipulations
To understand PCI DSS Requirement 6.4.3, it helps to look closely at its placement within the broader framework. Requirement 6.4, a subset of PCI DSS Requirement 6, mandates that “public-facing web applications are protected against attacks.” Building on this, PCI 6.4.3 specifically requires organizations in the payment card industry to manage all payment page scripts executed in the consumer’s browser.
Under the Defined Approach, the most common path to compliance, organizations must implement formal methods to ensure:
- Authorization for every active script
- Integrity throughout script execution and updates
- Justification for maintaining each script in the inventory
Assessors validate compliance through structured testing, including procedural reviews, interviews, and inventory verification (as outlined in 6.4.3.a and 6.4.3.b).
For organizations using the Customized Approach, the PCI DSS specifies that no unauthorized code can run on payment pages displayed in a customer’s browser.
A major compliance challenge arises because these requirements apply to all scripts, even those loaded from third-party service providers. The PCI SSC recommends:
- Gaining authorization before adding new scripts or immediately after any update
- Performing integrity checks when scripts are introduced or modified
- Maintaining a minimal script inventory, limited to those essential for business function, to reduce exposure
Additionally, the SSC provides clarification on Three-Domain Secure (3DS) implementations. If a payment page is fully hosted and managed by a 3DS provider, meaning no scripts originate from the merchant’s environment, it may be exempt from PCI DSS 6.4.3. However, any scripts under the merchant’s control must still comply with authorization, integrity, and justification requirements.
How PCI Requirement 6.4.3 Fits Within the Framework
Understanding where PCI DSS Requirement 6.4.3 fits within the overall framework helps organizations in the payment card industry (PCI) align their compliance efforts strategically. The Payment Card Industry Data Security Standard (PCI DSS) includes 12 core requirements, grouped under six key priorities, each building upon the others to create a holistic cybersecurity and compliance ecosystem.
Here’s how the PCI DSS is structured:
- Build and Maintain Secure Networks and Systems
- Requirement 1: Install and maintain network security controls
- Requirement 2: Maintain secure configurations across systems
- Protect Account and Cardholder Data
- Requirement 3: Protect account data in storage
- Requirement 4: Encrypt cardholder data (CHD) during transmission over networks
- Maintain a Vulnerability Management Program
- Requirement 5: Protect systems and networks from malware
- Requirement 6: Develop and maintain secure systems and software
- Implement Strong Access Control Measures
- Requirement 7: Restrict access based on business need to know
- Requirement 8: Identify and authenticate users accessing systems
- Requirement 9: Restrict physical and environmental access to CHD
- Regularly Monitor and Test Networks
- Requirement 10: Log and monitor access to systems and networks
- Requirement 11: Test network and system security regularly
- Maintain an Information Security Policy
- Requirement 12: Establish and maintain security policies that support overall system protection
Within this hierarchy, Requirement 6, and specifically 6.4.3, plays a vital role in the Vulnerability Management Program. By ensuring that payment scripts are authorized, verified, and continuously monitored, organizations can prevent e-skimming and other client-side attacks that threaten payment card data integrity.
Understanding 6.4.3 in the Context of 6 and 6.4
To fully understand PCI DSS Requirement 6.4.3, it’s essential to see how it connects to Requirement 6 and its related sub-controls under 6.4. These elements collectively strengthen the payment card industry efforts to maintain secure systems, protect web applications, and prevent client-side threats like e-skimming.
Here’s how Requirement 6 is structured:
Requirement 6, Develop and maintain secure systems and software
- 6.1: Define processes and policies for maintaining systems
- 6.2: Develop all bespoke and custom software securely
- 6.3: Identify and address security vulnerabilities
- 6.4: Protect public-facing web applications against attacks
- 6.5: Manage changes to system components securely
Together, these controls ensure organizations implement sound development processes, maintain oversight of custom software, remediate vulnerabilities, and manage changes responsibly. These same security principles appear throughout the broader PCI DSS framework.
Zooming in further, Requirement 6.4 expands into three detailed sub-requirements:
Requirement 6.4: Protect public-facing web apps against attacks
- 6.4.1: Continuously address new threats and vulnerabilities, ranking risks through regular assessments and after major updates.
- 6.4.2: Deploy automated tools to detect and prevent web application attacks.
- 6.4.3: Manage all scripts executed in the consumer’s browser to ensure authorization, integrity, and justification.
In practice, PCI DSS 6.4.3 complements the ongoing monitoring of vulnerabilities (6.4.1) and automated defenses (6.4.2) to create a unified approach to web application protection. This layered structure helps organizations reduce exposure to malicious scripts and safeguard sensitive payment card data.
Broader PCI DSS Compliance Considerations
Meeting the technical requirements of PCI DSS 6.4.3, and all other controls, does not automatically equal full PCI DSS compliance. To achieve and maintain compliance, organizations must also complete formal assessments and validation procedures on a recurring basis.
Like other regulatory frameworks, the Payment Card Industry Data Security Standard (PCI DSS) defines multiple compliance levels based on the organization’s size, business type, and annual transaction volume. Each level determines the required validation method and assurance level.
For example, Mastercard outlines the following structure:
- Level 1: Merchants processing over 6 million annual transactions must undergo the most rigorous assessment, a Report on Compliance (ROC), performed by a Qualified Security Assessor (QSA).
- Levels 2–4: Merchants processing fewer transactions can typically complete a Self-Assessment Questionnaire (SAQ) and an Attestation of Compliance (AOC) without direct QSA involvement.
The same logic applies to service providers, though their thresholds differ. High-volume providers, such as third-party processors (TPPs), staged digital wallet operators (SDWOs), and merchant payment gateways (MPGs), are categorized as Level 1 and must complete a ROC with a QSA. Lower-volume providers may qualify for the simplified SAQ process.
Ultimately, partnering with an experienced PCI compliance advisor ensures proper preparation for assessments, documentation, and ongoing maintenance. RSI Security helps organizations at every compliance level implement required controls, validate effectively, and maintain continuous adherence to PCI DSS standards.
Streamline Your PCI Compliance Today
Achieving and maintaining PCI DSS compliance can be complex, especially when navigating specific controls like Requirement 6.4.3. Understanding its technical requirements and how it fits within the broader DSS framework is only the first step. The next is applying that knowledge effectively to secure your organization’s systems and payment environments.
Working with a trusted PCI compliance partner like RSI Security simplifies this process. Our experts have guided hundreds of organizations through every stage of compliance, from gap assessments and implementation to validation and continuous monitoring. We help your team build resilient, audit-ready systems that meet all Payment Card Industry Data Security Standard (PCI DSS) requirements with confidence.
Get started today. Contact RSI Security to streamline your PCI DSS compliance journey and protect your customers’ data with trusted, end-to-end solutions.
Download Our PCI Checklist