PCI DSS 6.4.3: Managing Payment Page Scripts
Payment page scripts pose a direct risk to cardholder data security. PCI DSS 6.4.3 requires you to maintain strict control over every script loaded in customer browsers to prevent unauthorized code injection and data theft. This control is critical for preventing Man-in-the-Middle attacks and malicious script injection on your checkout pages.
What this means
This control requires organizations to implement a method for authorizing and managing all scripts that load on payment pages visible to consumers. Every script—whether first-party or third-party—must be explicitly approved and monitored to ensure only legitimate code executes in the customer's browser. The goal is to prevent malicious scripts from capturing payment data or redirecting customers to fraudulent sites.
How to comply
- 1.Create and maintain a complete inventory of all scripts loaded on payment pages, including origin, purpose, and owner.
- 2.Establish an authorization process that requires documented approval before any script is deployed to production.
- 3.Implement Content Security Policy (CSP) headers to restrict script execution to approved sources only.
- 4.Use script integrity checks (Subresource Integrity) to verify third-party scripts haven't been tampered with.
- 5.Regularly audit loaded scripts to detect unauthorized or outdated code.
- 6.Monitor browser network requests in real-time to catch unexpected script loads.
- 7.Document the business justification and security review for every approved script.
Evidence auditors look for
- Documented script inventory with approval dates and business justification
- Content Security Policy configuration file restricting script-src to approved domains
- Change control records showing approval workflows for script additions
- Subresource Integrity hashes for third-party JavaScript libraries
- Monthly audit reports comparing loaded scripts against approved inventory
- Real User Monitoring (RUM) logs showing script execution patterns
- Third-party script vendor security assessments and contracts
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates script inventory discovery and authorization workflow, comparing loaded scripts against your approved whitelist in real-time and flagging unauthorized additions before they reach production.
See how GRCWatch handles this control automatically
Start free trial