%20(1).webp)
As of 1st April 2025, new regulations under PCI DSS v4.0.1 have come into force — and with them, a renewed emphasis on eCommerce merchants’ responsibility for securing their checkout journeys.
In recent weeks, high-profile cyberattacks on major UK retailers including Marks & Spencer, Harrods, and Co-op, have underscored just how vulnerable even the most established businesses can be to digital threats.
Against this backdrop, the new PCI DSS requirements introduce a critical shift for SAQ-A merchants — including those using hosted payment pages — who must now formally confirm that their websites are not susceptible to script-based attacks.
What’s changed?
While previous guidance (such as requirements 6.4.3 and 11.6.1) prescribed technical approaches to script monitoring and integrity checks, these have now been replaced by a more general — but arguably more demanding — expectation:
“The merchant has confirmed that their site is not susceptible to attacks from scripts that could affect the merchant’s e-commerce system(s).”
This change places the burden of proof squarely on merchants. It’s no longer just about ticking boxes on an SAQ — you must be able to demonstrate that your checkout pages are not vulnerable to client-side tampering, especially from third-party JavaScript.
Why this matters
Third-party JavaScript is essential to modern eCommerce, but it also represents a growing attack surface — particularly on checkout pages. Malicious code can be injected to skim cardholder data or spoof payment forms, often without visible signs. These types of attacks, known as Magecart or formjacking, are increasingly common and notoriously hard to detect without specialised tooling.
Merchants who fail to monitor for these threats risk:
- Fines from their acquiring banks
- Increased transaction fees
- Suspension of card processing privileges
- Legal liability in the event of a breach
- Reputational damage that can take years to rebuild
Introducing: Venditan Checkout Audit
In response, we’ve developed Venditan Checkout Audit — a lightweight, code-free tool designed to help merchants meet the updated PCI requirements and reduce the risk of script-based attacks on their payment pages.
The Checkout Audit tool:
- Captures a full snapshot of your checkout journey, including hosted payment pages
- Inventories all JavaScript files (static and dynamically loaded) and tracks changes over time
- Monitors HTTP headers and DOM content for signs of tampering or unexpected behaviour
- Delivers regular audit reports that support both internal security reviews and PCI compliance submissions
The tool is designed to run independently of Venditan Commerce and requires no installation or developer input. This makes it ideal for merchants using hosted payment solutions, where backend access is limited but compliance obligations remain high.
A practical approach to ongoing compliance
While some merchants have asked whether action is needed before their SAQ-A renewal date, the answer is clear: PCI DSS requires ongoing monitoring.
If an incident occurs, you may be required to show a consistent history of security activity — not just a one-off scan at the point of submission.
At Venditan, we believe compliance shouldn’t be costly, confusing, or reactionary. That’s why we’ve built a solution focused specifically on this requirement — one that’s accessible, effective, and easy to implement.
Need help understanding the new requirements, or want to discuss a checkout audit for your site?
Get in touch - our team is here to help.
Our recent posts
Keep up to date with the latest news and insight from the team at Venditan
.webp)
.webp)
