by Source Defense
When your organization builds or manages web experiences that handle patient, customer, or policyholder data, you are also managing risk, often more than you realize. On today’s internet, many of the most dangerous vulnerabilities live inside your users’ browsers, not on your servers.
The Blind Spot: Third-Party Code in Live Sessions
Modern websites rely on third- and fourth-party JavaScript for analytics, chat, personalization, ads, and payments. Once loaded, these scripts run with the same privileges as your code. They can observe and copy data users type into forms, including personal and payment details, unless you control their behavior in real time. Research across thousands of merchant sites shows heavy script usage on payment pages and direct interaction with sensitive data, underscoring the exposure created by unmonitored scripts.
A Growing Compliance Exposure
Healthcare, financial services, and insurance teams face rising scrutiny under privacy and security mandates. PCI DSS 4.0.1 adds explicit client-side controls for payment pages and flows, requiring you to inventory, authorize, justify, and assure the integrity of scripts, and to detect unauthorized changes to pages and headers on a recurring cadence. These controls address the real-world theft of data at the point of input in the browser.
What PCI DSS 4.0.1 Expects
- Requirement 6.4.3: Maintain an inventory of payment page scripts, confirm authorization, justify necessity, and assure integrity. This applies to first-, third-, and fourth-party scripts that execute in the consumer browser.
- Requirement 11.6.1: Monitor payment pages and headers for unauthorized changes at least weekly, alert on issues, and prevent or rapidly contain malicious behavior. The objective is active detection and blocking of eSkimming techniques.
Compliance is already in effect, and assessments are underway. Treat these requirements as minimum controls to reduce risk, not as paperwork.
Why Traditional Controls Struggle
Teams often look to Content Security Policy (CSP) and Subresource Integrity (SRI). While useful, both are static and operationally heavy in dynamic environments. CSP requires constant maintenance and can over- or under-block. SRI has little value for frequently changing or personalized third-party code and offers no native alerting. Independent reviews and industry guidance highlight these limitations.
The Rise of eSkimming and Client-Side Attacks
Attackers compromise legitimate sites or third-party scripts to capture form inputs inside the browser. The theft happens before data reaches your server, which means server-side tools may never see it. This is why PCI added client-side mandates and why behavior-based defenses that watch what scripts do, not just where they came from, are now essential.
Managing Web Client Runtime Security
A behavior-based approach gives you continuous visibility and control over script actions. You can see what data scripts access, whether they touch sensitive fields, and if they contact unapproved domains. Policies like monitor, redact, isolate, or block let you prevent exfiltration without breaking business-critical experiences. Third-party validations show that behavior-based controls can meet PCI 6.4.3 and 11.6.1 when configured correctly.
How Source Defense Helps
Protect data at the point of input. Source Defense extends security to the client side, learns baseline behavior, and enforces script-level policies in real time to stop eSkimming, formjacking, and credential harvesting before data leaves the browser. It functions like a sandbox for third- and fourth-party scripts and supports privacy mandates alongside PCI.
Meet PCI DSS 4.0.1 requirements with less effort.
- Builds and maintains a script inventory, captures authorization and justification, and assures integrity for 6.4.3.
- Continuously monitors pages and headers, alerts on changes, and blocks malicious activity for 11.6.1.
Independent QSAC reviews from Coalfire and VikingCloud support the platform’s applicability.
Two deployment models, one outcome.
- Protect: in-line enforcement that isolates, redacts, monitors, or blocks script behavior.
- Detect: external scanning and alerting for change detection and evidence.
Both reduce audit friction and provide exportable evidence for assessors.
Fast path to results. A practical 30-day plan gets discovery, evaluation, procurement, and deployment done quickly, with push-button reporting for audits and minimal ongoing management time.
Take Control of the Front End
- Inventory and authorize every script in your payment flows, including embedded iframes and fourth-party dependencies.
- Monitor behavior in real time and enforce policy at the browser to prevent data exfiltration.
- Capture evidence for PCI auditors with clear inventories, justifications, and change-detection logs. Source Defense makes each step repeatable and low effort.
About Source Defense
Source Defense is the pioneer and market leader in client-side security and data privacy. The platform protects sensitive data at the point of input and supports PCI DSS 4.0.1 requirements 6.4.3 and 11.6.1 for organizations that handle online payments. Trusted by more than 1,000 brands and validated by leading QSACs, Source Defense delivers behavior-based protection that is fast to deploy and simple to operate.
Request a demo to see how behavior-based controls stop eSkimming and simplify PCI evidence, or ask for the 30-day action plan to start now.
PCI DSS 4.0 makes client-side security a priority.
Source Defense delivers a solution for 6.4.3 and 11.6.1 without adding a burden to your security teams.