Browser Scripts in PCI DSS 4.0: You Can’t Scope Your Way Out of This One

All Industries, Client-Side,

PCI DSS 4.0 is out, and there are some key changes from version 3.2.1. Now, any business that accepts payments online must inventory, authorize, and justify all javascripts that load on payment pages (requirement 6.4.3) and deploy a mechanism to detect unauthorized modifications to the HTTP headers as received by the consumer’s browser (requirement 11.6.1).

And no one is exempt. Even merchants who leverage third-party payment service providers via iframe or redirect are in scope.

Join the LinkedIn Live session to learn what merchants and assessors should know about PCI DSS v4.0 6.4.3 and 11.6.1. Our panel of top PCI industry experts will:

  • Dive into the new payment page script and header requirements (6.4.3. & 11.6.1) and how they affect merchants
  • Discuss scoping considerations and why third-party payment service providers will not descope merchants’ websites
  • Share options and best practices for merchants to protect consumers’ cardholder data in the browser in compliance with PCI DSS 4.0


  • Troy Leach, Chief Strategy Officer, Cloud Security Alliance
  • Jeffrey E. Man, Information Security Evangelist / PCI SME / PCI QSA / Cryptanalyst
  • Jeff Zitomer, Senior Director of Product Management, HUMAN Security