RSI Security

Understanding PCI 6.4.3

payment card industry

payment card industry

Organizations across the payment card industry (PCI) often face challenges meeting evolving compliance standards. One of the most complex updates in the latest PCI DSS framework is Requirement 6.4.3, which focuses on change management and security validation. For e-commerce businesses especially, maintaining compliance requires careful planning, continuous monitoring, and adaptable security controls.

Is your organization prepared to comply with PCI DSS 6.4.3? Request a consultation with RSI Security to strengthen your compliance posture and protect sensitive payment data.

 

 How to Comply with PCI Requirement 6.4.3

Organizations within the payment card industry (PCI) that handle credit card transactions and cardholder data (CHD) must comply with the PCI Data Security Standard (PCI DSS). While some requirements are straightforward, others, like PCI DSS Requirement 6.4.3, pose unique challenges. This particular control focuses on monitoring, restricting, and maintaining the integrity of payment scripts used across e-commerce environments.

To comply with PCI Requirement 6.4.3, organizations should understand:

Partnering with an experienced PCI compliance service provider can simplify this process. Expert advisory, control implementation, and governance support ensure your organization meets 6.4.3, and all other PCI DSS obligations, with confidence.

 

Request a Free Consultation

 

Recent Updates and Guidance for PCI 6.4.3

Following the release of PCI DSS 4.0, the Payment Card Industry Security Standards Council (PCI SSC) received numerous questions from merchants and service providers struggling to meet the updated requirements, particularly PCI DSS 6.4.3 and the related Requirement 11.6.1. In response, the Council formed a dedicated task force to address e-commerce compliance challenges within the payment card industry.

Their efforts led to the publication of an information supplement in March 2025, offering detailed guidance on both requirements. The document outlines how organizations can identify and mitigate risks associated with compromised or malicious payment page scripts.

The PCI SSC warns that supply chain attacks and script injection attacks are among the most significant threats. These attacks often originate through third-party service providers (TPSPs) and can be difficult to detect. Malicious actors may inject scripts that imitate legitimate payment fields or use double-entry forms to trick users into providing sensitive information.

The outcome of these attacks, often referred to as e-skimming, can be severe, leading to payment data theft, fraud, or even compliance violations. To prevent these risks, organizations must follow PCI 6.4.3’s technical and procedural controls carefully, ensuring all payment scripts are monitored, validated, and secured against tampering.

 

PCI 6.4.3 Specifications and Stipulations

To understand PCI DSS Requirement 6.4.3, it helps to look closely at its placement within the broader framework. Requirement 6.4, a subset of PCI DSS Requirement 6, mandates that “public-facing web applications are protected against attacks.” Building on this, PCI 6.4.3 specifically requires organizations in the payment card industry to manage all payment page scripts executed in the consumer’s browser.

Under the Defined Approach, the most common path to compliance, organizations must implement formal methods to ensure:

Assessors validate compliance through structured testing, including procedural reviews, interviews, and inventory verification (as outlined in 6.4.3.a and 6.4.3.b).

For organizations using the Customized Approach, the PCI DSS specifies that no unauthorized code can run on payment pages displayed in a customer’s browser.

A major compliance challenge arises because these requirements apply to all scripts, even those loaded from third-party service providers. The PCI SSC recommends:

Additionally, the SSC provides clarification on Three-Domain Secure (3DS) implementations. If a payment page is fully hosted and managed by a 3DS provider, meaning no scripts originate from the merchant’s environment, it may be exempt from PCI DSS 6.4.3. However, any scripts under the merchant’s control must still comply with authorization, integrity, and justification requirements.

 

How PCI Requirement 6.4.3 Fits Within the Framework

Understanding where PCI DSS Requirement 6.4.3 fits within the overall framework helps organizations in the payment card industry (PCI) align their compliance efforts strategically. The Payment Card Industry Data Security Standard (PCI DSS) includes 12 core requirements, grouped under six key priorities, each building upon the others to create a holistic cybersecurity and compliance ecosystem.

Here’s how the PCI DSS is structured:

  1. Build and Maintain Secure Networks and Systems
  1. Protect Account and Cardholder Data
  1. Maintain a Vulnerability Management Program
  1. Implement Strong Access Control Measures
  1. Regularly Monitor and Test Networks
  1. Maintain an Information Security Policy

Within this hierarchy, Requirement 6, and specifically 6.4.3, plays a vital role in the Vulnerability Management Program. By ensuring that payment scripts are authorized, verified, and continuously monitored, organizations can prevent e-skimming and other client-side attacks that threaten payment card data integrity.

 

Understanding 6.4.3 in the Context of 6 and 6.4

To fully understand PCI DSS Requirement 6.4.3, it’s essential to see how it connects to Requirement 6 and its related sub-controls under 6.4. These elements collectively strengthen the payment card industry  efforts to maintain secure systems, protect web applications, and prevent client-side threats like e-skimming.

Here’s how Requirement 6 is structured:
Requirement 6, Develop and maintain secure systems and software

Together, these controls ensure organizations implement sound development processes, maintain oversight of custom software, remediate vulnerabilities, and manage changes responsibly. These same security principles appear throughout the broader PCI DSS framework.

Zooming in further, Requirement 6.4 expands into three detailed sub-requirements:
Requirement 6.4: Protect public-facing web apps against attacks

In practice, PCI DSS 6.4.3 complements the ongoing monitoring of vulnerabilities (6.4.1) and automated defenses (6.4.2) to create a unified approach to web application protection. This layered structure helps organizations reduce exposure to malicious scripts and safeguard sensitive payment card data.

 

Broader PCI DSS Compliance Considerations

Meeting the technical requirements of PCI DSS 6.4.3, and all other controls, does not automatically equal full PCI DSS compliance. To achieve and maintain compliance, organizations must also complete formal assessments and validation procedures on a recurring basis.

Like other regulatory frameworks, the Payment Card Industry Data Security Standard (PCI DSS) defines multiple compliance levels based on the organization’s size, business type, and annual transaction volume. Each level determines the required validation method and assurance level.

For example, Mastercard outlines the following structure:

The same logic applies to service providers, though their thresholds differ. High-volume providers, such as third-party processors (TPPs), staged digital wallet operators (SDWOs), and merchant payment gateways (MPGs), are categorized as Level 1 and must complete a ROC with a QSA. Lower-volume providers may qualify for the simplified SAQ process.

Ultimately, partnering with an experienced PCI compliance advisor ensures proper preparation for assessments, documentation, and ongoing maintenance. RSI Security helps organizations at every compliance level implement required controls, validate effectively, and maintain continuous adherence to PCI DSS standards.

 

Streamline Your PCI Compliance Today

Achieving and maintaining PCI DSS compliance can be complex, especially when navigating specific controls like Requirement 6.4.3. Understanding its technical requirements and how it fits within the broader DSS framework is only the first step. The next is applying that knowledge effectively to secure your organization’s systems and payment environments.

Working with a trusted PCI compliance partner like RSI Security simplifies this process. Our experts have guided hundreds of organizations through every stage of compliance, from gap assessments and implementation to validation and continuous monitoring. We help your team build resilient, audit-ready systems that meet all Payment Card Industry Data Security Standard (PCI DSS) requirements with confidence.

Get started today. Contact RSI Security to streamline your PCI DSS compliance journey and protect your customers’ data with trusted, end-to-end solutions.

 

Download Our PCI Checklist


Exit mobile version