We are thrilled to announce the release of new PCI DSS 4.0 capabilities for HUMAN Client-side Defense. The new functionality makes it even easier for online merchants and payment service providers to protect their payment pages and manage their browser scripts in compliance with requirements 6.4.3 and 11.6.1 of PCI DSS 4.0 (learn more about PCI DSS requirements).
The new requirements become mandatory on March 31, 2025 and apply to all organizations that accept card payments on their websites. It is important to note that online merchants, even if they outsource all storage, processing and transmission of account data to payment service providers, must adhere to the requirements.
What are the new requirements?
Two of the changes in version 4.0 revolve around payment page scripts and HTTP headers.
PCI DSS 4.0 requirement 6.4.3 states that payment page scripts are managed as follows:
- A method is implemented to confirm that each script is authorized
- A method is implemented to assure the integrity of each script
- An inventory of all scripts is maintained with written justification
Requirement 11.6.1 states that:
- A change and tamper-detection mechanism is deployed to alert personnel to unauthorized modification to the HTTP headers and the contents of payment pages as received by the consumer browser
Review the full list of requirements at the PCI SSC website.
Simplify Payment Page Protection with HUMAN in Compliance with PCI DSS 4.0
With a single line of code, HUMAN helps organizations painlessly achieve and maintain compliance with browser script requirements by auto-inventorying scripts, capturing authorization and justification, and monitoring scripts and headers for behavioral integrity and indications of compromise:
A single line of code will auto-discover, maintain, and detect changes to the script inventory, payment pages, and HTTP Headers. HUMAN provides a simple and automated method to authorize, justify, and assure the integrity of scripts (Requirement 6.4.3). Beyond compliance, HUMAN’s sensor runs in each consumer’s browser session, at-the-ready to surgically block risky script actions based on proactive policies, without interrupting the value provided by vital scripts. Further, policy rules enable merchants to extend a zero-trust approach to payment data and other sensitive information in the browser, building invisible guardrails around developers without limiting their agility.
HUMAN provides complete visibility and control of script behavior in real consumers’ browsers, real-time high-risk alerts, and in-depth script analysis. Security, compliance, and business decisions can be informed by the risk of each script’s actions, such as cardholder data access and risky-domain communication. The sensor alerts on changes and indications of compromise, including to HTTP headers (Requirement 11.6.1).
Dashboards, input fields, and reports, all map directly to PCI DSS guidance and language, ensuring quick ramp up and alignment with PCI Assessors. Policy rules enable merchants to automate script authorization at multiple levels of granularity (e.g., per vendor, first-party, script, script action, and more), simplifying management and saving significant amounts of time for security, compliance, and development teams. Audit reports are auto-generated, and could be exported at-a-click to demonstrate continuous compliance with PCI DSS 4.0 to assessors.