HUMAN Blog

How website architecture affects scoping of PCI DSS 4 requirements 6.4.3 and 11.6.1

 

Today, e-commerce websites, travel sites, and other companies with payment pages face a challenge: they must ensure that their websites comply with Payment Card Industry Data Security Standard version 4 (PCI DSS 4)  by April 2025. 

Two key requirements in the PCI DSS 4—6.4.3 and 11.6.1—target client-side website scripts, payment page integrity and their impact on cardholder data security. Client-side scripts, which run on the consumer’s browser rather than the website server, can optimize web page performance and functionality. 

But client-side scripts also introduce vulnerabilities that malicious actors can exploit. Website operators typically lack visibility into payment page scripts at runtime. The result is that third-party scripts can access and skim sensitive cardholder data.

Web architecture: Single page vs.
multi-page apps

At the PCI SCC North America Community Meeting, Jeff Man of Online Business Systems and Jeff Zitomer of HUMAN delivered a session on how a retailer’s website architecture affects what they need to do to comply with PCI DSS requirements 6.4.3 and 11.6.1.

Man and Zitomer discussed the difference between traditional web applications – in which each new web page (and the scripts therein) are loaded from scratch – compared with modern single-page apps that load additional resources on top of previous pages’ as website visitors navigate the site. 

If, as an e-commerce provider, you have a single page app (as many modern retailers do), Zitomer outlined two options for scoping 6.4.3 and 11.6.1:

  1. Scope your entire application and manage all client-side scripts throughout the entire app
  2. Re-architect the application, so that the merchant’s page that embeds the third party’s payment form loads as a wholly separate web page (thus isolating it from scripts that were loaded on previous “pages”).

While re-architecting your site will involve a heavy upfront effort for your developers and will slightly affect the consumer’s experience, it also reduces your client-side attack surface and ensures that only the embedding page (or a payment page) and the scripts upon it are in scope for PCI DSS requirements 6.4.3 and 11.6.1.

Check out the complete session on PCI DSS 4 compliance to learn more and learn more about HUMAN's approach to PCI DSS compliance here.