PCI DSS v4.0.1 — mandatory since 31 Mar 2025

Do you know every script on your payment page?

PCI DSS Requirements 6.4.3 and 11.6.1 now require merchants to inventory and justify every script on their checkout page, and detect unauthorized changes. If you use Woo/Shopify + Stripe Elements or PayPal in an iframe, the "SAQ A trap" means you must attest your checkout isn't susceptible to script attacks — or you lose SAQ A eligibility. We'll scan your checkout page and show you exactly what's loading, free.

Takes about 15 seconds · no signup required to see your summary
Why this suddenly matters

Two requirements, one deadline that already passed

PCI DSS v4.0.1 requirements 6.4.3 and 11.6.1 became mandatory on 31 March 2025. Acquirers are already charging non-compliance fees — typically $20–200/month — to merchants who can't show they've addressed them.

Requirement 6.4.3 — script inventory

Every script that loads on a payment page must be inventoried, with a written business justification for why it's there and confirmation of its authorization and integrity.

Requirement 11.6.1 — tamper detection

Merchants must deploy a change- and tamper-detection mechanism that alerts on unauthorized modification of the payment page, at least weekly (or per a defined risk cadence).

The "SAQ A trap": if your checkout is an iframe/embed from Stripe, PayPal or Braintree, you likely qualify for the simpler SAQ A — but only if you can attest your page isn't susceptible to script-based attacks. Many merchants have never actually checked.

Fair warning

What this scan is — and isn't

This free scan gives you a real, useful script inventory for your payment page: every external script, first-party vs third-party, categorized by vendor. It does not assert PCI compliance, and a one-off scan cannot do continuous tamper detection (Requirement 11.6.1) — that needs repeated monitoring over time, which is what the paid tier below is for. Not legal or compliance advice.

Coming soon

Weekly monitoring + tamper alerts

We're validating demand for always-on payment-page monitoring before we build it. If you want it, tell us — we'll email you the moment it's ready.

Monitoring
$29/mo
  • Weekly re-scans of your payment page
  • Alerts when a new or changed script appears (tamper signal)
  • Acquirer-ready PDF for your next SAQ A attestation