Requirement 6

Requirement 6 is to “Develop and Maintain Secure Systems and Software” and it is broken down into the following sub-requirements:

6.1 Processes and mechanisms for developing and maintaining secure systems and software are defined and understood.
6.2 Bespoke and custom software are developed securely.
6.3 Security vulnerabilities are identified and addressed.
6.4 Public-facing web applications are protected against attacks.
6.5 Changes to all system components are managed securely.

What has Changed

One of the key changes is the new requirement (6.4.3) for “management of all payment page scripts that are loaded and executed in the consumer’s browser”. This requirement is best practice for now but you should be compliant by the 31 March 2025 deadline.

Lets look at the official guidance for this requirement:

Official Guidance

6.4.3 All payment page scripts that are loaded and executed in the consumer’s browser are managed as follows:

A method is implemented to confirm that each script is authorized.
A method is implemented to assure the integrity of each script.
An inventory of all scripts is maintained with written justification as to why each is necessary.

“Scripts loaded and executed in the payment page can have their functionality altered without the entity’s knowledge and can also have the functionality to load additional external scripts (for example, advertising and tracking, tag management systems). Such seemingly harmless scripts can be used by potential attackers to upload malicious scripts that can read and exfiltrate cardholder data from the consumer browser. Ensuring that the functionality of all such scripts is understood to be necessary for the operation of the payment page minimizes the number of scripts that could be tampered with.”

What do they mean by external Scripts?

This requirement asks that you are aware of the external scripts operating on your payment page. An external script refers to any third-party resource (usually javascript) which is being loaded on your webpage. The PCI gives examples such as tag management, tracking and advertising; however, there are also many other examples of third-party scripts that are used by website owners:

Marketing tools
Advertising
Application Performance Monitoring tools
Social media
Customer Success Tools
And many others!

These Third Parties are risky because they can load extra parties onto your webpage. If one of these third parties is malicious or compromised, then this can even load additional malicious scripts onto your site.

That is the reason for this new requirement. The PCI wants site owners to protect customers’ details from being stolen by malicious scripts (often known as magecart attacks – where cybercriminals will modify payment pages to steal customer data).

By keeping an inventory of all the scripts running on your page, this makes it easier to spot any unauthorised scripts on your page. Furthermore, by offering a justification for each one, there must be a valid reason the script is on the site at all. The new guidance essentially suggests that these scripts should be kept at a minimum (only when their presence can be justified on the payment page) to minimise the risk of malicious scripts being added.

Read more

Read on to find out how to use RapidSpike to maintain an inventory of authorised scripts on your website.

PCI DSS Basics

Requirement 6

What has Changed

Official Guidance

What do they mean by external Scripts?

Leave a Reply Cancel reply