PCI DSS v4.0 Requirements 6.4.3 and 11.6.1

March 2025

The Payment Card Industry Data Security Standard (PCI DSS) is a global framework designed to protect cardholder data and ensure secure payment processing environments.

PCI DSS version 4.0 Requirements 6.4.3 and 11.6.1

Effective April 1, 2025, PCI DSS version 4.0 introduces new requirements to enhance client-side web security for ecommerce merchants:

  • Requirement 6.4.3: Client Script Management—All scripts must be authorized, justified, and protected from tampering. Regular scans of scripts are required.
  • Requirement 11.6.1: Change and Tamper Detection—Regular evaluation of HTTP headers and payment pages for unauthorized script changes, with immediate alerts to authorized personnel.

Compliance deadline—April 1, 2025

Benefits of compliance

The PCI DSS v4.0 (6.4.3 and 11.6.1) are important to:

  • Combat web skimming—Reduces the risk of malicious actors injecting code to steal sensitive payment card data.
  • Enhance security—Improves overall website security through proactive monitoring and control over scripts.

Compliance measures from Clover

Clover is responsible for PCI compliance and script management on Clover hosted checkout and Online Ordering (OLO). This includes real-time detection of unauthorized scripts, tracking script changes and behavior, and generating compliance reports. Clover ensures the security of the payment platform, protecting merchants and their customers from potential threats.

Merchants are responsible for maintaining PCI DSS v4.0 (6.4.3 and 11.6.1) compliance if they own their domains or ecommerce websites and use Clover Ecommerce APIs, iframe, or payment plugins to process payments.