Requirement 6 is to “Develop and Maintain Secure Systems and Software” and it is broken down into the following sub-requirements:
One of the key changes is the new requirement (6.4.3) for “management of all payment page scripts that are loaded and executed in the consumer’s browser”. This requirement is best practice for now but you should be compliant by the 31 March 2025 deadline.
Lets look at the official guidance for this requirement:
6.4.3 All payment page scripts that are loaded and executed in the consumer’s browser are managed as follows:
“Scripts loaded and executed in the payment page can have their functionality altered without the entity’s knowledge and can also have the functionality to load additional external scripts (for example, advertising and tracking, tag management systems). Such seemingly harmless scripts can be used by potential attackers to upload malicious scripts that can read and exfiltrate cardholder data from the consumer browser. Ensuring that the functionality of all such scripts is understood to be necessary for the operation of the payment page minimizes the number of scripts that could be tampered with.”
These Third Parties are risky because they can load extra parties onto your webpage. If one of these third parties is malicious or compromised, then this can even load additional malicious scripts onto your site.
That is the reason for this new requirement. The PCI wants site owners to protect customers’ details from being stolen by malicious scripts (often known as magecart attacks – where cybercriminals will modify payment pages to steal customer data).
By keeping an inventory of all the scripts running on your page, this makes it easier to spot any unauthorised scripts on your page. Furthermore, by offering a justification for each one, there must be a valid reason the script is on the site at all. The new guidance essentially suggests that these scripts should be kept at a minimum (only when their presence can be justified on the payment page) to minimise the risk of malicious scripts being added.
Read on to find out how to use RapidSpike to maintain an inventory of authorised scripts on your website.