PCI DSS 4.0.1 Requirements 6.4.3 and 11.6.1 Force Script Inventory on Payment Pages

The core change is explicit: requirement 6.4.3 demands an inventory of every script executing on payment pages with authorization and integrity verification, while 11.6.1 requires automated detection of unauthorized changes to page content or headers. Reflectiz data indicates 30 percent of such scripts change inside any two-week window, rendering manual hash checks ineffective against silent vendor-side swaps that deliver skimmers. Sansec documented over 100,000 compromised sites where legitimate vendor scripts carried Magecart payloads without altering file presence.

This exposes the structural gap between iframe-based SAQ A assumptions and actual browser execution. PCI SSC FAQ 1588 confirms that parent-page scripts can still access card fields before data reaches the processor frame, forcing merchants to prove negative susceptibility. The 2018 British Airways incident, which exposed 380,000 transactions via a compromised third-party script, demonstrates the exact attack path now addressed by these controls.

Operational impact centers on evidence generation. QSA Integrity360 Europe validated that behavioral monitoring, not static hashes, produces audit-ready trails without code changes. Merchants relying on frequent tag managers or support widgets face recurring compliance overhead as vendor updates trigger re-authorization cycles.

Next phase will see QSAs reject SAQ A self-attestations lacking script monitoring logs. Procurement records from major processors already reference these controls in updated merchant agreements.