by Source Defense
As PCI DSS 4.0.1 assessments become the new normal, Qualified Security Assessors (QSAs) face a pivotal role in ensuring merchants move beyond checking boxes to actually securing customer data. Two requirements, 6.4.3 (script inventory, authorization, and integrity) and 11.6.1 (tamper/change detection and alerting), now sit at the center of PCI DSS compliance. But in 2025’s threat landscape, meeting these requirements on paper is not enough.
Why PCI DSS Now Looks at the Browser
The browser has quietly become one of the most dangerous places in the payment ecosystem. According to the 2024 Verizon Payment Security Report, 40% of payment-page scripts have access to PII or cardholder data, with an average of 18 scripts per checkout page. Every one of these scripts: analytics tools, tag managers, marketing pixels, and personalization frameworks—can open a backdoor for eSkimming, formjacking, or keylogging.
The PCI Council’s new focus on eSkimming security through 6.4.3 and 11.6.1 is an acknowledgment that server-side controls don’t see what happens inside the browser. Merchants must now prove that every script loading on their payment pages is authorized, monitored, and behaving as expected.
The Current DSS Is MISGUIDING! Why CSP and SRI Don’t Solve the Problem
Because the DSS references these as potential controls, many merchants point to Content Security Policy (CSP) and Subresource Integrity (SRI) as evidence of their diligence. While these are useful baseline controls, they fall short of true protection.
CSP restricts where scripts can load from but cannot see what those scripts actually do once running. A trusted vendor could still be compromised, and the browser would happily execute their malicious code. Meanwhile, SRI hashes static code, but the modern web is anything but static—scripts change constantly through tag managers, personalization, and dynamic content updates.
The PCI Council’s own eCommerce Guidance Taskforce recently warned that CSP-based approaches fail to address critical elements of 6.4.3 and 11.6.1, offering no mechanism to alert on malicious behavior or detect runtime tampering. The reality is stark: while technically “compliant,” the use of CSP does not equal a secure payment page.
SECURITY vs COMPLIANCE: Upstream Attacks – The Hidden Majority
Another common misconception that you as a QSA should seek to educate against is the assumption that “protecting the payment page” is enough. Research from Source Defense, its partners and other vendors in this space shows that most eSkimming campaigns now occur upstream, targeting scripts that load before checkout—marketing integrations, consent tools, and analytics tags. Compromised scripts can completely hijack the payment process – tricking consumers into believing they are in the payment page when in reality they are not. Simply protecting the payment page doesn’t protect against eSkimming
attacks!
In other words, compliance at checkout is not the same as security across the customer journey.
What QSAs Should Expect to See in a Report on Compliance
A compliant merchant must now provide evidence that every element of 6.4.3 and 11.6.1 is being met. Here’s what QSAs should look for:
For 6.4.3: Script Inventory, Authorization, and Integrity
- Comprehensive Inventory: A live, automatically generated list of all first-, third-, and fourth-party scripts, not just static documentation.
- Business Justification: Clear reasoning for why each script exists and what function it performs.
- Authorization Log: Evidence that someone internally has approved each script’s presence or change.
- Integrity Validation: Proof that script behavior is being monitored over time—not just hashed once.
For 11.6.1: Detection, Alerting, and Response
- Monitoring Mechanism: Continuous or at least daily verification of script integrity and page headers.
- Alerts and Logs: Examples of alert configurations, evidence of test alerts, and recent logs showing changes detected or reviewed.
- Response Procedures: Documented workflows showing how alerts are triaged and how incidents are validated or escalated.
Why Behavior-Based Protection Is the Only Reliable Path Forward
Source Defense Protect is a behavior-based solution that closes the compliance and security gap left by CSP and SRI. Instead of relying on predefined rules or hashes, this approach observes and controls script behavior in real time, enforcing policies directly inside the browser. Scripts are sandboxed and categorized into isolation, monitoring, or blocking modes, ensuring data never leaves the page without authorization.
For auditors and merchants alike, this offers a double benefit: automated compliance and
real security. Independent assessors such as Coalfire and VikingCloud have validated that behavior-based enforcement directly addresses PCI DSS 6.4.3 and 11.6.1 across the entire payment flow.
Helping QSAs Succeed: Tools and Partnerships
QSAs are not expected to be developers or eSkimming security specialists. What they do need are tools that make it easy to verify compliance, and Source Defense has built precisely that.
The Source Defense QSA Dashboard is a free, multi-tenant assessment tool that allows assessors to generate real-time inventories of client scripts, verify authorization, view and export logs, and create ready-to-attach evidence packets for the ROC or SAQ.
We know you need help verifying your client’s approach – and we’re glad to help with our free solution which you can register for HERE. As part of our QSA Support Program, we also offer training, co-branded education, and webinars to help assessors stay ahead of the evolving eSkimming threat landscape.
Conclusion: Compliance Is the Floor, Not the Ceiling
PCI DSS 4.0.1 has drawn a clear line: merchants can no longer claim compliance if they lack visibility into browser-side activity. But true security goes further—identifying and blocking malicious behavior in real time, not merely trusting a static configuration.
For QSAs, that means the questions you ask this year must dig deeper. When a client says, “We use CSP,” the right response is, “Show me what your scripts are doing right now.”
Source Defense stands ready to support QSAs worldwide with free tools, education, and validation resources that make your assessments faster, more accurate, and more secure.
Learn more or request access to the QSA dashboard at www.sourcedefense.com.
PCI DSS 4.0 makes client-side security a priority.
Source Defense delivers a solution for 6.4.3 and 11.6.1 without adding a burden to your security teams.