Recently, we’ve delved into the new guidance around client-side security found in PCI DSS v4.0 (specifically, PCI 6.4.3). We’ve walked through what PCI 6.4.3 states, what it means for cybersecurity teams and organizations, and analyzed how best to address script management to meet PCI’s guidance. As we dive deeper into this new focus on client-side security, we also have to dig into PCI 11.6.1. 

PCI 11.6.1 states that unauthorized changes on payment pages must be detected and responded to. The question is, how soon after the alert do cybersecurity teams have to respond? Additionally, PCI has recommended an update on mechanism functions at least once every seven days or “periodically” based on other elements. But again, what does “periodically” mean? In this article, we’re taking a closer look at PCI 11.6.1, what it entails, and how you can meet this new guidance to protect your organization from client-side attacks. 

What Does PCI 11.6.1 State and Why is it Important?

Under PCI 11.6.1’s Defined Approach Requirements, it states:

“A change- and tamper-detection mechanism is deployed as follows:

  • To alert personnel to unauthorized modification (including indicators of compromise, changes, additions, and deletions) to the HTTP headers and the contents of payment pages as received by the consumer browser.
  • The mechanism is configured to evaluate the received HTTP header and payment page. 
  • The mechanism functions are performed as follows:
    • At least once every seven days 


  • Periodically (at the frequency defined in the entity’s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1).”

Essentially, PCI 11.6.1 is outlining that change- and tamper-detection systems must: 

  • Be deployed on payment pages to alert personnel to unauthorized modification
  • Evaluate the received HTTP header on the payment page
  • Meet these requirements every seven days or periodically

Other time periods mentioned in requirement 11.6.1 use the word “timely” and “prompt” as to when alerts need to be provided. This is displayed in the section, Customized Approach Objective, which states, “E-commerce skimming code or techniques cannot be added to payment pages as received by the consumer browser without a timely alert being generated. Anti-skimming measures cannot be removed from payment pages without a prompt alert being generated.”

Ultimately, PCI 11.6.1 states that you must be alerted when a change has been made to your script. Having the technology and resources in place to get these timely alerts is vital. While PCI is giving you leeway as to how much time you’re allotted to detect and respond to alerts, the question you need to ask yourself is, how much time can you afford to wait before you respond?

Alert! Alert! Failing to Respond to Alerts Can Cost you Thousands, Even Millions in Fines

When websites are processing thousands of payment cards every day, responding to an alert one week from now, in a timely manner, or periodically can mean the difference between thousands or millions of dollars in primary and secondary costs. 

According to IBM’s 2021 Cost of a Data Breach Report, customer PII is the most common type of record lost or stolen as it was included in 44% of all breaches in this study. Not only is PII the most common type of data stolen in data breaches, but it’s also the most costly. Per lost or stolen record, customer PII can cost an average of $180. This number is up 20% from 2020 when the average cost of customer PII per lost or stolen record was approximately $150. At this rate, you can’t afford to not respond to alerts immediately. Waiting a week, or even a day or two, could cost our organization millions of dollars in fines — in just a few hours.

IBM also reports that in 2021, it took an average of 212 days to identify a data breach, plus an additional 75 days to contain it. This entire lifecycle is 287 days. Imagine the amount of data that could be stolen during this time. Now, imagine that number reflected in costly fines. 

Also take into consideration, the average time to identify and contain a breach by an initial attack vector such as a vulnerability in third-party software. This software is typically used to capture payment information or personal contact information through form submissions. When cybercriminals use this software as an attack vector, it can lead to irreparable and costly damages. With an average lifecycle of 286 days, vulnerabilities in third-party software take approximately 210 days to identify and 76 days to contain. 

All that being said, even though PCI 11.6.1 gives you ample time to respond to alerts, the problem is that organizations aren’t able to:

  • Detect threats and breaches as they happen
  • Respond to alerts within less than 200 days

There is only one solution: prevention first client-side security.

PCI 11.6.1 is Giving You the Freedom to Decide Which Client-Side Security Tool to Use — Choose Wisely

It is clear that PCI is allowing some vagueness to give freedom to its members on which client-side security tool they use. Under examples for 11.6.1, CSP and synthetic user monitoring systems are mentioned along with “Embedding tamper-resistant, tamper-detection script in the payment page can alert and block when malicious script behavior is detected.”

The Source Defense Platform offers prevention-first, client-side web application security that:

  • Stops threats in their tracks without adding burden to your already burdened teams
  • Mitigates a potential material risk to your organization 
  • Ensures compliance with PCI 6.4.3 and PCI 11.6.1

Dive into the Source Defense Platform to learn more about its capabilities and use cases.

Final Thoughts

PCI 11.6.1 notes that “This requirement is a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment.”

The truth is, organizations need to act now to find effective solutions to not only keep their security measures in compliance with PCI 11.6.1 and PCI 6.4.3, but also to respond immediately and prevent any potential threat or harm to the organization, its people, and its customers. 

Make the smart choice and get prepared now. 2025 (or a potential client-side attack) is right around the corner. Get a demo of the Source Defense Platform to protect your organization from client-side risk.

PCI DSS 4.0 makes client-side security a priority.

Source Defense delivers a solution for 6.4.3 and 11.6.1 without adding a burden to your security teams.