In 2025, the PCI Security Standards Council (PCI SSC) will begin enforcing Requirements 6.4.3 and 11.6.1 of the PCI Data Security Standard (PCI DSS) starting March 31, 2025. These updates will impact many retailers that process online payments and will further strengthen the security of the e-commerce ecosystem.
In this article, SQC Certification shares key guidance to help e-commerce businesses understand and comply with the new PCI DSS requirements.
Why Does PCI DSS Provide “Special Guidance” for E-commerce?
The rapid growth of e-commerce has led websites to increasingly rely on JavaScript scripts, iframes, and third-party code to support payment processing, analytics, advertising, and user behavior tracking.
However, these components can also introduce significant security risks. They may expose websites to attacks such as web-skimming or client-side injection, where attackers secretly insert malicious code into checkout pages to steal payment card information.
Previously, many PCI DSS security controls focused mainly on server-side security and data transmission protection, which was not always sufficient to address risks occurring in the client-side browser environment.
For this reason, starting with PCI DSS version 4.0, the PCI SSC introduced additional requirements designed specifically to improve the security of web applications and e-commerce environments.
To support businesses in understanding and implementing these updates, the PCI SSC established the E-commerce Guidance Task Force. This dedicated working group develops detailed guidance for protecting online payment environments, particularly focusing on Requirements 6.4.3 and 11.6.1.
The guidance document is expected to be officially released in early 2025.
According to the PCI SSC roadmap, Requirements 6.4.3 and 11.6.1 will become mandatory starting March 31, 2025, directly affecting businesses that process online payments.
Initially, these requirements applied broadly to merchants operating payment pages. However, starting January 2025, the PCI SSC clarified that some organizations using SAQ A may qualify for exemptions, provided they meet specific conditions defined by the council.
Which Organizations Are Affected?
The following organizations are most likely to be impacted by the PCI DSS e-commerce requirements:
- E-commerce websites accepting card payments, especially when the checkout page is hosted or controlled by the merchant or includes third-party scripts or iframes.
- Merchants using embedded payment forms, JavaScript, plugins, or iframe-based integrations rather than fully redirecting users to an external payment gateway
- Third-Party Service Providers (TPSPs), web development companies, DevOps/DevSecOps teams, application security teams, and compliance specialists responsible for implementing, auditing, or maintaining PCI DSS compliance for e-commerce systems.
Key PCI DSS v4 Requirements for E-commerce (2025)
Two requirements are particularly important when discussing PCI DSS and e-commerce security:
- Requirement 6.4.3 — Payment Page Script Inventory & Integrity
- Requirement 11.6.1 — Change & Tamper Detection for Payment Pages
These requirements address one of the most common modern attack techniques: client-side payment page attacks.
Requirement 6.4.3 — Payment Page Script Inventory & Integrity
Requirement 6.4.3 requires organizations to manage every JavaScript script running on payment pages according to three main principles:
Script Authorization
Each script must be explicitly authorized before it is allowed to run on the payment page.
Script Integrity
Organizations must implement mechanisms to ensure that scripts have not been modified or tampered with. This helps prevent attackers from altering legitimate scripts to inject malicious code.
Script Inventory with Clear Purpose
Companies must maintain a comprehensive inventory of all scripts used on payment pages. This inventory should include:
- Script source (internal, third-party, or even fourth-party sources)
- The purpose or business justification for each script
- Version information or other integrity verification details
The overall objective is to prevent unauthorized or unknown scripts from running on payment pages—since such scripts are often used in attacks like web-skimming or form-jacking, where malicious code captures cardholder data during checkout.
Requirement 11.6.1 — Change & Tamper Detection for Payment Pages
Requirement 11.6.1 focuses on monitoring the integrity of payment pages delivered to the customer’s browser.
This includes monitoring the following components:
- HTML content
- JavaScript scripts
- HTTP headers
- Other page elements involved in payment processing
Organizations must implement mechanisms to continuously detect unauthorized changes or suspicious modifications to these components.
Main objectives of this requirement include:
- Detecting unauthorized modifications such as newly injected scripts or malware like Magecart web-skimming attacks.
- Identifying attempts to remove security protections, such as critical scripts or HTTP security headers.
- Ensuring the integrity and reliability of payment pages every time a customer loads the checkout page.
Together, Requirements 6.4.3 and 11.6.1 aim to prevent e-skimming and Magecart-style attacks, where attackers inject malicious JavaScript into checkout pages to capture card data as users enter it.
Supporting Guidance and Documentation (2025)
In March 2025, the PCI SSC officially released a supplemental document titled:
“Payment Page Security and Preventing E-Skimming – Guidance for PCI DSS Requirements 6.4.3 and 11.6.1.”
This document was developed by the E-Commerce Guidance Task Force and provides detailed explanations on how organizations should implement these requirements.
During the same year, the PCI SSC also released additional FAQs and implementation guidance to help organizations determine:
- The scope of PCI DSS for e-commerce systems
- How requirements apply to iframes, third-party scripts, and payment gateways
- Responsibility boundaries between merchants and Third-Party Service Providers (TPSPs)
The guidance emphasizes an important principle:
If a merchant fully outsources payment processing to a TPSP that hosts the payment page and handles the entire payment data flow, the merchant may be out of scope for Requirements 6.4.3 and 11.6.1.
However, if the merchant hosts any part of the payment page, script, iframe, or payment form on its own domain, these requirements must be implemented.
Practical Recommendations for Effective Compliance
Organizations can take several practical steps to comply with the new PCI DSS requirements.
Maintain a Script Inventory
Every script running on a payment page should be documented with:
- Source and provider
- Business purpose
- Version information
- Hash or checksum values for integrity verification
Implement Script Security Controls
Technologies such as:
- Content Security Policy (CSP)
- Subresource Integrity (SRI)
can help restrict which domains are allowed to load scripts and ensure scripts have not been modified.
Continuous Monitoring and Change Detection
Organizations should deploy tools or services that regularly scan payment pages to verify:
- HTTP headers
- DOM structure
- Script content
Any unexpected changes should trigger immediate alerts and investigation.
Clearly Define Responsibilities with Third-Party Providers
If external services such as payment gateways, hosted checkout providers, or TPSPs are used, organizations must clearly determine which party is responsible for PCI DSS compliance.
Using PCI SSC guidance helps avoid misunderstandings about compliance scope and responsibility.
Conclusion
As web-based attacks become increasingly sophisticated, the special PCI DSS guidance for e-commerce environments plays a critical role in protecting online payment transactions.
New requirements such as script management, payment page integrity monitoring, and change detection enable organizations to proactively defend against client-side attacks.
When implemented effectively, these controls not only reduce the risk of payment card data theft but also strengthen customer trust and reinforce the security of the entire online payment experience.
What is a SOC 2 Report? A Guide to SOC 2 Reporting for Technology Businesses
Latest Updates to SOC 2 for Businesses in 2026
Free Training Course: HIGG FEM Assessment Toolkit and Latest Updates
SQC Certification Vietnam officially becomes a QSAC authorized by PCI SSC.
What is a QSA? The Role of a QSA in the PCI DSS Assessment Process
Compliance Levels in PCI DSS
