Home · Synthesis · cl-pci-eskimming

PCI DSS e-skimming protection — payment page script integrity

CSA CCM v4 NIST CSF 2.0 PCI DSS SOC 2 ISO 27001

Primary statement

PCI DSS v4.0.1 6.4.3 e-skimming protection — manage payment page scripts, integrity-check, alert on unauthorised modification + 11.6.1 detection mechanism. CSA AIS-04 DAST + AIS-06 automated secure deployment + SOC 2 CC7.1 detection + CC8.1 change management. E-skimming protection became mandatory in PCI v4.0.1.

Audit-fatigue payoff

A unified payment page script management + integrity monitoring + DAST + automated deployment satisfies e-skimming requirements across all 5 contributing frameworks. PCI 6.4.3 is the regulatory anchor.

Strictness matrix

Scope

Scope: ALL payment page scripts loaded and executed in the consumer's browser. Universal in-browser scope. Ceiling source: pci_dss:PCI.6.4.3 Rationale: PCI 6.4.3 in-browser scope is the foundational specification.

Threshold

Threshold: scripts MANAGED (inventory), AUTHORISED (approved), INTEGRITY-CHECKED. Three binary conditions. Ceiling source: pci_dss:PCI.6.4.3 Rationale: PCI 6.4.3 three-condition threshold is uniquely strict.

Method

Method: payment page script inventory + integrity hashes + Content-Security-Policy + Subresource Integrity (SRI) + browser-side integrity monitoring + automated alerts on modification + DAST for application security (CSA AIS-04) + automated secure deployment (CSA AIS-06) + change management (SOC 2 CC8.1). Ceiling source: pci_dss:PCI.6.4.3 Rationale: PCI 6.4.3 + CSA AIS series combined are the most prescriptive.

Frequency

Script integrity monitoring: continuous. Script inventory review: per release + monthly. DAST: at least quarterly + before major releases (CSA AIS-04). Ceiling source: pci_dss:PCI.6.4.3 Rationale: Continuous monitoring with quarterly DAST is the cadence.

Evidence

Evidence: script inventory + integrity hashes + CSP + SRI implementation + monitoring alerts + sample alert response. Ceiling source: pci_dss:PCI.6.4.3 Rationale: PCI 6.4.3 evidence with inventory + monitoring is comprehensive.

Auditor test pattern

Step 1: Inspect payment page script inventory. Step 2: Verify CSP + SRI implementation. Step 3: Verify integrity monitoring operational. Step 4: Sample one alert traced to response. Step 5: Verify DAST quarterly.

Common findings

Common findings: (1) E-skimming protection added as bolt-on; not architecturally integrated; (2) Script inventory stale; (3) CSP weak (allows unsafe-inline); (4) Alerts ignored.