Bottom line: PCI DSS 4.0.1 requires real-time monitoring of all scripts on payment pages against web skimming, as approximately 30 percent of such scripts change within two weeks.
PCI DSS version 4.0.1 tightens security requirements for online payment services to prevent web skimming attacks. Merchants must now inventory all scripts on payment pages and verify their integrity, pushing manual procedures to their limits.
Web skimming is an attack pattern in which criminals inject malicious code through legitimate third-party scripts — such as analytics tools, tag managers, or support widgets. Security firm Sansec has documented over 100,000 affected websites. A prominent example was the data theft at British Airways in 2018, in which attackers from the Magecart group compromised 380,000 transactions. The risk arises when attackers compromise a third-party provider’s infrastructure and use it to inject malware into merchants’ payment pages.
PCI DSS version 4.0.1 addresses this gap with mandatory control requirements. Requirement 6.4.3 stipulates that every script on a payment page must be inventoried, authorized, and verified for integrity. Requirement 11.6.1 requires detection of tampering with page content and HTTP headers directly in the browser. A special feature: Since January 2025, these obligations also apply to iframe-based payment pages, as attackers can intercept data on the parent page before it reaches the protected frame.
Manual management of these lists is practically infeasible. According to data from Reflectiz, approximately 30 percent of scripts on payment pages change within two weeks. Independent PCI auditor Integrity360 Europe confirmed in a conformity audit that automated monitoring solutions can meet these new requirements. Relevant for compliance teams: Such systems operate on a behavioral basis rather than relying solely on file hashes and continuously document monitoring for audits.
Source: www.it-daily.net · Published 19 June 2026
Lumi AI News — AI-assisted curation in accordance with Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.1.