PCI DSS version 4.0 Requirements 6.4.3 and 11.6.1
Learn about client-side web security for Clover Ecommerce merchants, focusing on PCI v4.0 requirements for HTTP headers and payment page scripts.
Overview
The Payment Card Industry Data Security Standard (PCI DSS) is a global framework designed to protect cardholder data and ensure secure payment processing environments.
PCI DSS version 4.0 includes Requirements 6.4.3 and 11.6.1 to enhance client-side web security for ecommerce merchants taking online payments. These regulations cover HTTP headers and payment page scripts:
- Requirement 6.4.3: Client Script Management—Mandates that all scripts must be authorized with justification and protected from tampering, and a script inventory maintained with regular scans.
- Requirement 11.6.1: Change and Tamper Detection—Requires regular evaluation of HTTP headers and payment pages for any unauthorized script changes and immediate alerts to authorized personnel.
Compliance deadline
Requirements 6.4.3 and 11.6.1, also known as PCI DSS v4.0 (6.4.3 and 11.6.1), are mandated from April 1, 2025. Non-compliance with these standards can lead to higher processing costs, loss of merchant trust, limited processing capabilities, and potential termination of merchant contracts.
Clover is compliant with applicable PCI DSS requirements, including those related to card-not-present (CNP) transactions for ecommerce merchants. This compliance is validated by a Qualified Security Assessor (QSA).
PCI DSS v4.0 Requirements
Requirement 6.4.3: Client Script Management
Client Script Management covers all ecommerce payment page scripts loaded or executed in the client browser:
- Script authorization—Confirm that the scripts are authorized. Only authorized scripts are executed on the payments page.
- Script integrity—Ensure scripts are not tampered with and do not change form. Any changes in the script must be recorded and justified.
- Script inventory and justification—Maintain an inventory of scripts with written justification.
Requirement 11.6.1: Change and Tamper Detection
Change and Tamper Detection requires a mechanism to detect unauthorized modifications to payment pages:
- Change detection—Regularly evaluate HTTP headers and payment pages for unauthorized script changes.
- Track and alert mechanism—Immediate alerts to authorized personnel for any unauthorized modifications.
- Monitoring—Monitor any changes, such as deletions or additions in the HTTP header, and possibly block malicious scripts.
Compliance measures for Clover Ecommerce merchants
From April 1, 2025, PCI DSS v4.0 (6.4.3 and 11.6.1) mandates stringent script management on all payment pages, regardless of whether they are hosted by Clover or the merchant. These measures are important to protect against the injection of malicious scripts and card skimming attempts targeting online shopping carts and payment pages.
Merchant scenarios
Clover ensures compliance for its hosted checkout and online ordering platforms, while merchants using their own domains or payment plugins are responsible for their own compliance. The two merchant scenarios are:
- Clover Hosted Checkout or Online Ordering—Clover is responsible for PCI compliance and script management on Clover Hosted Checkout (HCO) and Online Ordering (OLO). This includes real-time detection of unauthorized scripts, tracking script changes and behavior, and generating compliance reports. Clover ensures the security of the payment platform, protecting merchants and their customers from potential threats.
- Merchant-hosted ecommerce websites integrating with Clover APIs or iframe—Merchants can integrate with Clover through Ecommerce APIs to process payments or with Clover iFrame to accept payments on their websites. Merchants using their own domains or payment plugins are responsible for their own PCI compliance.
Recommendation for developers
As a developer for merchant-hosted websites integrating with Clover Ecommerce APIs or iframe, you are responsible for maintaining PCI DSS v4.0 (6.4.3 and 11.6.1) compliance on your merchants' websites. Each domain must be individually assessed for PCI compliance. Failure to meet PCI DSS requirements can result in fines and higher interchange rates.
Contact us
Get ready for PCI DSS v4.0 (6.4.3 and 11.6.1) compliance on your merchant's domains with expert guidance from Clover. Send us an email at: [email protected] to initiate the process and receive information on the necessary steps.
Updated 1 day ago