F5 Distributed Cloud Client-Side Defense Prepares Customers for PCI DSS v4.0.1

With the release of the Payment Card Industry Data Security Standard (PCI DSS) v4.0.1, the PCI Security Standards Council directly addresses the growing threat of client-side attacks. For the first time, the PCI SSC has included two client-side requirements effective March 31, 2025 to directly address this new attack vector:

Requirement 6.4.3: All payment page scripts that are loaded and executed in the consumer's browser are managed as follows:

• A method is implemented to confirm that each script is authorized.
• A method is implemented to assure the integrity of each script.
• An inventory of all scripts is maintained with written business or technical justification as to why each is necessary.

Requirement 11.6.1 - A change- and tamper-detection mechanism is deployed as follows:

• To alert personnel to unauthorized modification (including indicators of compromise, changes, additions, and deletions) to the security impacting HTTP headers and the script contents of payment pages as received by the consumer browser.
• The mechanism is configured to evaluate the received HTTP headers and payment pages.

These new mandates recognize a fundamental truth: client-side scripts are now a critical part of the PCI attack surface. Yet for many organizations, meeting these requirements presents operational and technical hurdles, especially given the dynamic nature of JavaScript ecosystems and reliance on third-party services.