PCI DSS v4.0.1 · Requirements 6.4.3 & 11.6.1

Script monitoring & evidence for PCI DSS 6.4.3 / 11.6.1 — built for small merchants

ScriptProof keeps an inventory of every script on your checkout, records why each one is authorized, detects tampering, and turns it all into evidence you can hand to your bank. It supports your 6.4.3 and 11.6.1 controls — no agent install required to start.

How it works

1. Verify your site

Prove you own the domain with a DNS record or meta tag. We only ever monitor sites you control.

2. We watch your payment pages

Our crawler fingerprints every script and security header on your checkout pages, on a daily or 6-hourly schedule.

3. You get alerted on changes

A new or modified script on a payment page triggers an immediate email with before/after hashes and a one-click review link.

4. Evidence, ready for your SAQ

A monthly PDF Evidence Pack documents your script inventory, authorizations, change log and scan cadence.

Why this matters now

Since PCI DSS v4.0, requirements 6.4.3 and 11.6.1 ask merchants to maintain an authorized inventory of all payment page scripts and to detect tampering with page content and HTTP headers at least weekly. That applies to small shops too — skimming attacks overwhelmingly target exactly the scripts these requirements cover. ScriptProof gives you the monitoring and the paper trail without hiring a security team.

Frequently asked questions

Does ScriptProof make me PCI compliant?
No. ScriptProof is a monitoring and evidence tool. It supports your 6.4.3 and 11.6.1 controls and produces supporting evidence, but it is not a QSA service and does not certify compliance. Your validation requirements are set by your acquirer or a QSA.
Do I need to install anything on my site?
No. ScriptProof monitors your pages from the outside after you verify you own the domain. There is an optional lightweight snippet on Pro and Agency plans for catching scripts injected at runtime, but it is not required to start.
Will it slow down my checkout?
No. Monitoring happens on our servers, not in your customers’ browsers. The optional snippet is under 6 KB and fails silently — it never blocks or breaks your page.
What happens when a script changes?
A new or modified script on a payment page triggers an immediate email with the before and after fingerprints and a one-click review link. Lower-severity changes are grouped into a daily digest.
Do you ever see card data?
Never. ScriptProof only handles URLs, script metadata and content hashes, HTTP headers, and your account details. It does not request, process, or store cardholder data.