WP How to Comply with PCI DSS 4.0 Requirements 6.4.3 and 11.6.1 | Imperva

Home > Blog > How to Comply with PCI DSS 4.0 Requirements 6.4.3 and 11.6.1 

How to Comply with PCI DSS 4.0 Requirements 6.4.3 and 11.6.1

Application Security
How to Comply with PCI DSS 4.0 Requirements 6.4.3 and 11.6.1

Erez Hasson

Feb 24, 2025 5 min read

The countdown to compliance is in its final stretch. With the third and final phase of PCI DSS 4.0 requirements taking effect on March 31, 2025, organizations are under increasing pressure to ensure their client-side security measures meet the new requirements.  

At Imperva, we’re committed to helping our customers navigate these challenges confidently and efficiently. As a recognized industry leader and an application security pioneer, Imperva was among the first to identify the potential risks associated with the client side. Foreseeing the inevitable addition of new requirements in PCI DSS, we launched Client-Side Protection almost five years ago to protect our customers against client-side threats such as Magecart. 

Since the introduction of the new client-side security requirements, we have worked tirelessly with PCI DSS compliance experts to ensure that Client-Side Protection addresses those. As the compliance deadline approaches, it can feel overwhelming. In this blog, I want to share a helpful last-minute guide to help you meet the new requirements with Imperva. 

What Are Requirements 6.4.3 and 11.6.1? 

  • PCI DSS 6.4.3: Organizations must inventory all scripts executing on payment pages, ensure they are authorized, justified, and have integrity controls. 
  • PCI DSS 11.6.1: Requires organizations to detect and alert on unauthorized modifications to security-impacting HTTP headers and scripts that could lead to data exfiltration. 

An in-depth guide to the changes introduced in PCI DSS 4.0 can be found here 

How Imperva Client-Side Protection Addresses PCI DSS 6.4.3 

Inventory Management: 

  • Automatically creates and maintains a dynamic inventory of all client-side scripts on payment pages. 
  • Detects new and existing script changes in real-time, providing complete visibility into any code modifications.

Integrity Monitoring: 

  • Continuously monitors script versions and checks for integrity changes. 
  • Employs hashing and other mechanisms to detect even minor alterations that could signal tampering or unauthorized script changes. 
  • Leverages AI to scan script code and answer critical questions, such as whether the script sends data outside the application or engages in behavior that may indicate potential data exfiltration.

Script Authorization and Justification: 

  • Provides tools for security teams to authorize scripts, allowing clear justification and documentation for audit purposes. 
  • Enables blocking unauthorized scripts or scripts showing suspicious behavior and/or changes. 
  • Available through both the UI and APIs, ensuring flexibility for manual reviews or automated processes as part of your broader security workflow. 

Real-Time Alerts: 

  • Generates alerts whenever new or modified scripts are detected, allowing security teams to review and approve changes promptly. 
  • How Imperva Client-Side Protection Addresses PCI DSS 11.6.1 

Automated Monitoring and Anomaly Detection: 

  • Uses browser-enforced Content-Security-Policy (CSP) headers to automatically monitor all client-side elements, including scripts, images, and stylesheets. 
  • Tracks any real-time modifications to security-impacting HTTP headers or DOM elements, identifying potential injection attacks or malicious changes. 

Continuous Checks Beyond Weekly Requirement: 

  • Goes beyond the PCI requirement of weekly manual checks by performing multiple daily checks and providing continuous monitoring and alerting. 
  • Detects changes as they happen, eliminating the gaps created by periodic review schedules. 

Anomaly Alerts: 

  • Real-time anomaly alerts can be triggered and sent to security teams via various channels (email, SIEM, API). 
  • Alerts provide contextual insights into the nature of changes and suggested actions for rapid investigation and resolution. 

Actionable Insights for Rapid Response: 

  • Enables security teams to review changes and take immediate action to block unauthorized modifications. 
  • Facilitates root-cause analysis with detailed logs, showing exactly when, where, and how changes occurred. 

We didn’t just focus on enabling customers to meet these new requirements; we also aimed to ensure they could do so efficiently and effortlessly. Let’s highlight some features that streamline the compliance process. 

Feature Highlight–PCI Compliance Dashboard: Your Personalized Guide to Stress-Free Audits 

Compliance audits can be stressful, but they don’t have to be. The PCI Compliance Dashboard is designed to take the guesswork out of the process by providing a step-by-step guide on what customers need to do before their PCI audit. This dashboard educates customers on the PCI requirements they need to meet and offers actionable steps to ensure they’re fully compliant. 

Both requirements 6.4.3 and 11.6.1 are fully integrated into the dashboard, with tailored, actionable steps for each onboarded payment path. Customers can easily track and check off these steps as they prepare for audits, ensuring a streamlined and organized compliance process. 

The PCI Compliance Dashboard helps you stay organized for audits by: 

  • Providing step-by-step compliance guidance: Detailed action items for each onboarded payment path. 
  • Tracking progress: Easily monitor the completion of compliance tasks. 
  • Exporting audit reports: Consolidates data into a single document for auditor review.

Image 1 Screenshot

Feature Highlight–AI Explain: Your Personal AI Script Analysis Assistant 

Imperva’s latest innovation in script security, powered by artificial intelligence, is a game-changer for organizations aiming to simplify their PCI DSS 4.0 compliance journey. Using the latest generation of AI models, Imperva provides instant, insightful analysis of any third-party or origin script detected on your site. With just a click, security teams can quickly understand a script’s purpose—whether it’s tracking user behavior, sending data externally, or monitoring input fields. 

In addition to script analysis, AI Explain ensures script integrity by leveraging machine learning to detect unusual script behavior or unauthorized changes. AI Explain identifies deviations that could indicate tampering or potential malicious activity by comparing new script versions to baseline behaviors and known safe patterns. This proactive detection helps prevent unauthorized or rogue scripts from running on payment pages. 

This seamless, human-readable analysis assesses script risks and streamlines adherence to PCI DSS 4.0 requirement 6.4.3 for script inventory, integrity, and authorization. By significantly reducing the time spent on manual script reviews, AI Explain empowers security teams to focus on strategic initiatives while streamlining compliance. 

Image 2 Screenshot

Image 3 Screenshot

Feature Highlight–Path-Specific Onboarding: Focus on What Matters Most 

This feature allows customers to onboard specific paths within their website—such as payment pages or sensitive user account sections—enabling them to focus their security efforts precisely where needed. While customers still have the option to onboard their entire website, this level of granularity provides unparalleled control and efficiency. 

Customers also have the flexibility to specify whether these paths need to be PCI-compliant. Related action items are automatically added to the PCI Compliance Dashboard when PCI compliance is required, streamlining audit preparation. This tailored level of control enhances security for essential paths and optimizes time and resources by reducing the need to monitor less critical areas. It’s all about making security more focused, intelligent, and effective. 

This targeted approach is a game-changer for organizations with complex web environments where certain pages are high-stakes. By zeroing in on these critical paths, customers can ensure that their most important assets are monitored and protected with the highest level of scrutiny, all while saving time and resources that would otherwise be spent managing less critical areas. It’s all about making security more intelligent and more effective. 

Image 4 Screenshot

Streamline PCI DSS 4.0 Compliance and Safeguard Customer Data with Imperva 

Imperva Client-Side Protection prevents data theft from client-side attacks like formjacking, Magecart, and other online skimming techniques that often exploit vulnerabilities in the website supply chain. It mitigates the risk of your customers’ most sensitive data landing in the hands of bad actors, resulting in devastating, costly data breaches. 

By providing clear visibility with actionable insights and easy controls, Imperva empowers your security team to effortlessly determine the nature of each client-side resource and block any unapproved ones. Imperva Client-Side Protection also ensures your organization meets the latest compliance standards, including those in PCI DSS 4.0. Leveraging Imperva’s advanced capabilities, you can safeguard your digital assets against sophisticated supply chain attacks, ensuring your customers’ data remains secure and your business operations uninterrupted. 

Suggested Report

The State of API Security in 2024 Read more

Trending