When customers enter their payment details, their browsers execute numerous third-party scripts, ranging from analytics tags to payment iframes. Each of these scripts represents a potential vector for web skimming attacks, often referred to as **Magecart**. **Sansec** has documented over 100,000 websites impacted by web skimming and supply-chain attacks. A notable example is the **2018 British Airways** breach, which compromised 380,000 transactions and resulted in an initial fine of £183 million.  The insidious nature of these attacks lies in their ability to leverage already approved third-party scripts. Attackers compromise a vendor, injecting malicious code into a script that has been running on a website for months. The script's presence remains unchanged; only its behavior shifts to exfiltrate sensitive data. ## PCI DSS v4.0 Closes the Gap **PCI DSS v4.0.1** directly addresses this vulnerability with two key requirements, now fully in effect: * **6.4.3**: Mandates an inventory of all payment-page scripts, requiring authorization and proof of their integrity. * **11.6.1**: Requires detection of tampering with page content and HTTP headers as they are received by the browser. Manually managing and monitoring hundreds of constantly changing scripts is impractical. **Reflectiz** data indicates that approximately 30% of payment-page scripts undergo changes within any two-week period. ## What the QSA Found **Integrity360 Europe**, a **PCI Qualified Security Assessor (QSA)** and member of the **PCI SSC Global Executive Assessor Roundtable**, conducted a review of the **Reflectiz PCI DSS Platform**. The assessment concluded that the platform effectively supports compliance with both **PCI DSS v4.0.1** requirements. Key findings included: * **Behavioral Monitoring**: The platform monitors script behavior, not just file hashes, to detect malicious actions like attempts to access card data, even if the script itself hasn't technically changed. * **Agentless Deployment**: **Reflectiz** deploys without requiring code changes or snippets, allowing for rapid implementation and continued functionality through website refactors and **CMS** migrations. * **QSA-Ready Evidence**: The platform provides a complete audit trail per page, generating assessment-ready evidence with a single click. ## The SAQ A Catch As of January 2025, merchants can only exclude requirements **6.4.3** and **11.6.1** from **SAQ A** if they can definitively prove their site is not susceptible to script attacks. While a full redirect to a payment processor might suffice, merchants embedding a payment iframe must demonstrate that scripts on the parent page cannot hijack the checkout process before data reaches the secure frame. **PCI SSC FAQ #1588** reinforces the need for these same controls in such scenarios. ## Get the Full Assessment The comprehensive white paper from **Integrity360 Europe** details both requirements line by line, the monitoring workflow, and the specific demands placed on iframe merchants under the updated **SAQ A** guidelines. [Download the white paper →](https://www.reflectiz.com/learning-hub/pci-dss-solution-assessment-integrity360/)