How website architecture affects scoping of PCI DSS 4 requirements 6.4.3 and 11.6.1
Lauren Horwitz
Today, e-commerce websites, travel sites, and other companies with payment pages face a challenge: they must ensure that their websites comply with Payment Card Industry Data Security Standard version 4 (PCI DSS 4) by April 2025.
Two key requirements in the PCI DSS 4—6.4.3 and 11.6.1—target client-side website scripts, payment page integrity and their impact on cardholder data security. Client-side scripts, which run on the consumer’s browser rather than the website server, can optimize web page performance and functionality.
But client-side scripts also introduce vulnerabilities that malicious actors can exploit. Website operators typically lack visibility into payment page scripts at runtime. The result is that third-party scripts can access and skim sensitive cardholder data.
Web architecture: Single page vs.
multi-page apps
At the PCI SCC North America Community Meeting, Jeff Man of Online Business Systems and Jeff Zitomer of HUMAN delivered a session on how a retailer’s website architecture affects what they need to do to comply with PCI DSS requirements 6.4.3 and 11.6.1.
Man and Zitomer discussed the difference between traditional web applications – in which each new web page (and the scripts therein) are loaded from scratch – compared with modern single-page apps that load additional resources on top of previous pages’ as website visitors navigate the site.
If, as an e-commerce provider, you have a single page app (as many modern retailers do), Zitomer outlined two options for scoping 6.4.3 and 11.6.1:
- Scope your entire application and manage all client-side scripts throughout the entire app
- Re-architect the application, so that the merchant’s page that embeds the third party’s payment form loads as a wholly separate web page (thus isolating it from scripts that were loaded on previous “pages”).
While re-architecting your site will involve a heavy upfront effort for your developers and will slightly affect the consumer’s experience, it also reduces your client-side attack surface and ensures that only the embedding page (or a payment page) and the scripts upon it are in scope for PCI DSS requirements 6.4.3 and 11.6.1.
Check out the complete session on PCI DSS 4 compliance to learn more and learn more about HUMAN’s approach to PCI DSS compliance here.