PCI DSS Requirements 6.4.3 and 11.6.1 now require merchants to inventory and justify every script on their checkout page, and detect unauthorized changes. If you use Woo/Shopify + Stripe Elements or PayPal in an iframe, the "SAQ A trap" means you must attest your checkout isn't susceptible to script attacks — or you lose SAQ A eligibility. We'll scan your checkout page and show you exactly what's loading, free.
PCI DSS v4.0.1 requirements 6.4.3 and 11.6.1 became mandatory on 31 March 2025. Acquirers are already charging non-compliance fees — typically $20–200/month — to merchants who can't show they've addressed them.
Every script that loads on a payment page must be inventoried, with a written business justification for why it's there and confirmation of its authorization and integrity.
Merchants must deploy a change- and tamper-detection mechanism that alerts on unauthorized modification of the payment page, at least weekly (or per a defined risk cadence).
The "SAQ A trap": if your checkout is an iframe/embed from Stripe, PayPal or Braintree, you likely qualify for the simpler SAQ A — but only if you can attest your page isn't susceptible to script-based attacks. Many merchants have never actually checked.
This free scan gives you a real, useful script inventory for your payment page: every external script, first-party vs third-party, categorized by vendor. It does not assert PCI compliance, and a one-off scan cannot do continuous tamper detection (Requirement 11.6.1) — that needs repeated monitoring over time, which is what the paid tier below is for. Not legal or compliance advice.
We're validating demand for always-on payment-page monitoring before we build it. If you want it, tell us — we'll email you the moment it's ready.