CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 18, 2026

The Scripts on Your Checkout Page Are Now a PCI DSS Problem

The Hacker News Archived Jun 18, 2026 ✓ Full text saved

An independent PCI assessor tested Reflectiz against the new PCI DSS rules. Here is the verdict: See the full QSA assessment here → When a customer types their card number into your checkout, their browser is running far more than your code. Analytics tags, a tag manager, a support widget, a payment iframe: a modern checkout loads dozens of third-party scripts, and any one of them can be turned

Full text archived locally
✦ AI Summary · Claude Sonnet


    The Scripts on Your Checkout Page Are Now a PCI DSS Problem The Hacker NewsJun 18, 2026Payment Security / Compliance An independent PCI assessor tested Reflectiz against the new PCI DSS rules. Here is the verdict: See the full QSA assessment here → When a customer types their card number into your checkout, their browser is running far more than your code. Analytics tags, a tag manager, a support widget, a payment iframe: a modern checkout loads dozens of third-party scripts, and any one of them can be turned into a skimmer. This is how Magecart works. Sansec has counted more than 100,000 sites hit by web skimming and supply-chain attacks. The 2018 British Airways breach alone exposed 380,000 transactions and a fine that started at £183 million. The dangerous part: the malicious code usually arrives through a script you already approved. Attackers compromise a third-party vendor, and the payload rides in on a script you have run for months. Nothing looks new. What changed is the script's behavior, not its presence on the page. PCI DSS v4.0.1 closes that gap with two requirements, now fully in force. 6.4.3 says to inventory every payment-page script, authorize it, and prove its integrity. 11.6.1 says to detect tampering with page content and HTTP headers as the browser receives them. Done by hand, across hundreds of scripts that change constantly, this does not scale. Reflectiz data shows roughly 30% of payment-page scripts change within any two-week window. What the QSA Found Integrity360 Europe, a PCI Qualified Security Assessor and member of the PCI SSC Global Executive Assessor Roundtable, reviewed the Reflectiz PCI DSS Platform against both requirements and found it can effectively support compliance. Three things stood out: It watches behavior, not just file hashes. A hash check misses a silent vendor-side swap. Reflectiz catches the script the moment it starts reaching for card data. It deploys agentless. No code changes, no snippets, live in days, and it keeps working through refactors and CMS migrations. It produces QSA-ready evidence in one click. Full audit trail per page, ready for assessment. The SAQ A Catch Since January 2025, merchants can drop 6.4.3 and 11.6.1 from SAQ A only if they confirm their site is not susceptible to script attacks. Full redirect to your processor? You are likely fine. Embed a payment iframe? A script on the parent page can still hijack the checkout before data reaches the secure frame, and you have to prove it cannot. PCI SSC FAQ #1588 points straight back to these same controls. Get the Full Assessment The complete Integrity360 Europe white paper breaks down both requirements line by line, the monitoring workflow, and exactly what SAQ A now demands of iframe merchants. Download the white paper → Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  browser security, Compliance, Magecart, Payment Security, PCI DSS, Reflectiz, Supply Chain Security, Web Skimming ⚡ Top Stories This Week Ivanti, Fortinet, and SAP Release Patches for Multiple Critical Vulnerabilities ThreatsDay Bulletin: Worm Code Leaked, AI Agent Phished, Claude Code Patch + 28 New Stories Researchers Build Self-Replicating AI Worm That Operates Entirely on Local, Open-Weight Models Chrome V8 Zero-Day CVE-2026-11645 Exploited in the Wild - Patch Now ⚡ Weekly Recap: Chrome 0-Day, UniFi Exploits, macOS Stealers, VPN Flaw and More Microsoft Defender RoguePlanet Zero-Day Grants SYSTEM Access on Updated Windows Over 400 Arch Linux AUR Packages Hijacked to Deploy Infostealer and eBPF Rootkit U.S. Orders Anthropic to Suspend Fable 5 and Mythos 5 Access for Foreign Nationals China-Linked Hackers Backdoored Linux Login Software to Hide for Nearly a Decade Cybersecurity Stars Awards 2026: Winners Announced Across 95 Categories Microsoft Patches Record 206 Flaws, Including Three Zero-Days and Critical RCE Bugs Palo Alto Warns of Active Exploitation of PAN-OS GlobalProtect VPN Flaw Anthropic Releases Claude Fable 5, Its Most Powerful AI Yet, With Cyber Safeguards New GreatXML Exploit Bypasses Windows BitLocker via Recovery Partition XML Files Critical Splunk Enterprise Flaw Lets Attackers Run Code Without Authentication Agentjacking Attack Tricks AI Coding Agents Into Running Malicious Code Load More ▼ ⭐ Featured Resources [Watch Demo] See Which Security Gaps Attackers Could Exploit First Get the 2026 Guide to Govern and Secure Enterprise AI Agents at Scale AI Can’t Stop Every Attack. Learn How Zero Trust Can Block What’s Unknown Have You Outgrown Your MDR? 7 Warning Signs Every CISO Should Check
    💬 Team Notes
    Article Info
    Source
    The Hacker News
    Category
    ◇ Industry News & Leadership
    Published
    Jun 18, 2026
    Archived
    Jun 18, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗