Other Services

Payment Page Protection

PCI DSS version 4.0 has introduced two key new requirements to add further protection to online payment pages. These requirements are contained within the shortest questionnaire SAQ-A so apply to all ecommerce payment pages where an embedded form such as iFrame is used.

These requirements apply to both merchants and service providers, therefore a merchant cannot outsource this responsibility to their payment gateway as both entities have obligations. These requirements state:

A person typing on a laptop with a red triangle on the keyboard.

PCI Requirement 6.4.3

All payment page scripts that are loaded and executed in the consumer’s browser are managed as follows:

  • A method is implemented to confirm that each script is authorised.
  • A method is implemented to assure the integrityof each script.
  • An inventory of all scripts is maintained withwritten justification as to why each is necessary.

PCI Requirement 11.6.1

A change-and-tamper detection mechanism is deployed as follows:

  • To alert personnel to unauthorised modification to the HTTP headers and the contents of payment pages as received by the consumer browser.
  • The mechanism is configured to evaluate the received HTTP header and payment page.
  • The mechanism functions are performed at leastevery seven days or periodically as defined in a targeted risk analysis.

How to meet these requirements

Whilst you can use mechanisms such as Sub-resource integrity(SRI) and Content Security Policy (CSP), use of these tools can be challenging and manual regular auditing and management is required plus a high level of expertise.

Using a vendor solution that is specifically tailored to meeting these requirements with minimal disruption to your business is our recommendation.

a blue checklist with a globe in the background

We researched offerings for months and ultimately decided to partner with industry leader Source Defense to offer a solution that meets the requirements in an efficient manner that requires minimal ongoing management. Two solutions are offered:


Scanning, detection and alerting which is an external implementation and provides visibility into client-side security incidents by extending security to the browser.


An automated protection mechanism deployed as two lines of code on your website. This is more a ‘set and forget’ option and provides out of the box security and compliance.

Register Now

To obtain more information including a list of FAQs please register using the form. Or you can get in touch and we can discuss directly.

Thank you for registering your interest.
Oops! Something went wrong while submitting the form.