Compliance Management, MSP

Silent Client-Side Risks: Why Merchants Must Act Now on PCI DSS 4.0 Compliance

(Adobe Stock)

COMMENTARY: Compliance conversation has shifted from server-side protections to the browser itself. PCI DSS 4.0.1 makes it clear that merchants can no longer treat client-side risks as an afterthought. The rise of e-skimming shows that attackers are exploiting blind spots in real time, and the data point about 11,000 infected domains in 2024 makes the threat impossible to ignore. What also resonates is the emphasis on education. Smaller and mid-sized merchants especially need guidance, not just requirements handed down. PSPs and acquirers are in a unique position to bridge that gap by helping businesses inventory scripts, monitor continuously, and reduce third-party exposure without sacrificing the checkout experience. Compliance is only part of the story here - the real takeaway is that protecting the client side is now integral to protecting customer trust.


With the surge in digital transactions and increasingly sophisticated browser-based threats (both intentional and unintentional), merchants are under more pressure than ever to protect customer data. As a result, expectations are rising, not just for merchants themselves, but for their partners, PSPs, and acquiring financial institutions. These businesses are expected to help ensure that sensitive data is secured and that merchants remain compliant with evolving PCI DSS standards.

But those expectations don’t stop there. Merchants are also seeking to better understand the environment in which they operate and the associated risks, and are looking to PSPs and acquirers to take on this educational role. The good news is that many of these partner organizations are stepping up by providing new levels of support across an array of areas.

These include educational webinars featuring experts who can delve deeply into areas such as the limitations of traditional server-side security and the rise of client-side risks, including JavaScript skimming. PSPs and acquirers are also sending out a regular cadence of educational materials, such as newsletters, providing updates on requirements like PCI DSS v4.0.1, and highlighting industry announcements from major players such as VISA.

Where to Begin: PCI DSS v4.0.1

If you’re not familiar with PCI DSS, this is where the education begins. First introduced in 2004, PCI DSS v1.0 established a uniform set of security standards designed to protect sensitive cardholder data and make credit and debit card transactions more secure for both businesses and consumers. Since then, its requirements have evolved. With its latest iteration, PCI DSS v4.0.1, the focus is on helping organizations detect and prevent e-skimming. The two key requirements that merchants should be acutely aware of are 6.4.3 and 11.6.1.

Requirement 6.4.3 focuses on getting merchants to identify and approve every script running on their payment pages. In short, this means businesses must compile and maintain a detailed script inventory, which includes verifying script integrity and documenting the business justification for each.

Requirement 11.6.1 calls on merchants to implement a change- and tamper-detection mechanism that automatically alerts personnel when unauthorized modifications are made to scripts or to security-related HTTP headers on payment pages. It also calls for organizations to conduct weekly checks for any unauthorized changes.

Why This Matters Now

Despite the growing number of risks, many merchants remain unprepared. This is most notable for mid-sized and smaller merchants, many of whom are overwhelmed by the scope of these requirements. There are also companies that hesitate to assess their environments, for fear that they might uncover unmanaged scripts or third-party risks that expand their compliance scope or require additional investment.

If your business falls into either of these groups, here’s an important message: ignorance isn’t a best practice when it comes to eliminating client-side risk and protecting your customers’ data. Neither is maintaining the status quo. Recorded Future reports that in 2024, Magecart e-skimmer infections approached 11,000 unique e-commerce domains—a nearly threefold increase from 2023 and the highest annual volume ever recorded. There is little doubt that this pattern will continue.

How to Make Compliance Achievable

For any merchant that hasn’t taken the first step, it’s important to know that meeting the demands of PCI DSS 6.4.3 and 11.6.1 is possible, but achieving and sustaining compliance without expert guidance is a tall order. Success requires having the right mix of people, processes, and technologies. Start by aligning with PSPs, acquirers, and client-side security experts who can help ensure controls are effective and up to date. Select partners who understand e-commerce and can help you stay compliant without compromising the checkout experience. Some recommended steps include:

  • Create a detailed script inventory. Identify all payment pages that handle card data and list all scripts executed in the user’s browser. Be sure to document script names, sources, business purposes, authorization status, and the method of integrity validation.
  • Implement continuous monitoring. PCI DSS v4.0.1 calls for checks every seven days. Experts will tell you that weekly checks aren’t enough. Incidents of skimming can occur in minutes without any notice, making real-time monitoring vital. By deploying automated change detection tools, businesses can identify unauthorized script modifications immediately and alert their team to take action.
  • Reduce third-party risk. The number of third-party scripts a company uses varies. According to Source Defense data included in the 2024 Verizon Payment Security Report, large merchant websites have an average of 18.37 scripts per payment page. To comply with v4.0.1, businesses must limit the number of third-party scripts running on payment pages.

Client-Side Protection Isn’t Optional Anymore

It’s vital for PSPs and acquirers to help educate merchants about the limitations of traditional server-side controls, which cannot protect them against scripts injected by third-party vendors or malicious actors exploiting browser-based risks, along with a path to client-side protection.

But the education these businesses provide cannot end there. Today’s risk environment isn’t static. As such, PSPs and acquirers must commit to ongoing education and guidance that provides merchants with access to the latest knowledge, news, and experts who can ultimately help ensure the success of their client-side protection initiatives over time.

MSSP Alert Perspectives columns are written by trusted members of the managed security services, value-added reseller and solution provider channels or MSSP Alert's staff. Do you have a unique perspective you want to share? Check out our guidelines here and send a pitch to [email protected].

Andrew McCarroll

Andrew McCarroll is PCIP, Customer Payment Security Executive, Elavon.

You can skip this ad in 5 seconds