F5 Distributed Cloud Client-Side Defense Prepares Customers for PCI DSS v4.0.1

In recent years, formjacking and Magecart attacks have surged as dominant threats in the e-commerce and digital payments landscape. These client-side attacks silently siphon sensitive data, including credit card numbers, login credentials, and personally identifiable information (PII) directly from users’ browsers, without ever touching the organization’s servers. The attacks bypass traditional perimeter and server-side defenses by injecting malicious JavaScript into third-party scripts or directly into front-end code.

Formjacking relies on injecting malicious JavaScript into online forms to capture user inputs at the browser level. It’s often carried out by exploiting vulnerabilities in third-party scripts or content delivery networks (CDNs), making it difficult to detect using server-side security tools.

Magecart is an umbrella term for a set of cybercriminal groups that specialize in web skimming. These cybercriminal groups typically compromise e-commerce sites by injecting JavaScript code that steals payment data during checkout. This stolen data is then exfiltrated to attacker-controlled domains, often obfuscated or hidden beneath legitimate-looking requests.

Both attack types share a common vector: the browser. And their success hinges on how little visibility organizations have into what actually executes client-side.

With the release of the Payment Card Industry Data Security Standard (PCI DSS) v4.0.1, the PCI Security Standards Council directly addresses the growing threat of client-side attacks. For the first time, the PCI SSC has included two client-side requirements effective March 31, 2025 to directly address this new attack vector:

Requirement 6.4.3: All payment page scripts that are loaded and executed in the consumer’s browser are managed as follows:

• A method is implemented to confirm that each script is authorized.
• A method is implemented to assure the integrity of each script.
•  An inventory of all scripts is maintained with written business or technical justification as to why each is necessary.

Requirement 11.6.1 – A change- and tamper-detection mechanism is deployed as follows:

• To alert personnel to unauthorized modification (including indicators of compromise, changes, additions, and deletions) to the security impacting HTTP headers and the script contents of payment pages as received by the consumer browser.
• The mechanism is configured to evaluate the received HTTP headers and payment pages.

These new mandates recognize a fundamental truth: client-side scripts are now a critical part of the PCI attack surface. Yet for many organizations, meeting these requirements presents operational and technical hurdles, especially given the dynamic nature of JavaScript ecosystems and reliance on third-party services.

Traditional web application firewalls (WAFs), security information and event management solutions (SIEMs), and endpoint tools operate on the server or network perimeter. They lack visibility into the final execution environment: the user’s browser. Once malicious code is injected—whether through a compromised tag manager, CDN, or a third-party supply chain attack—server-side tools often miss the breach entirely. This is where F5 Distributed Cloud Client-Side Defense steps in.

Unlike server-side tools, Distributed Cloud Client-Side Defense operates in the browser itself, providing real-time monitoring, integrity validation, and alerting on malicious behavior as it happens. And we recently updated the service so it’s purpose-built to address the threats outlined in PCI DSS v4.0.1 requirements 6.4.3 and 11.6.1.

Here’s how it helps:

• Script inventory and authorization:  Distributed Cloud Client-Side Defense continuously tracks and maintains an inventory of all scripts executing on payment pages—first-party and third-party. Organizations can establish an allow list of scripts with written justifications and get alerted if new or unauthorized scripts appear, helping to show compliance with 6.4.3.
• Script integrity validation:  Distributed Cloud Client-Side Defense validates the integrity of scripts by instrumenting the runtime of the web application to watch for meaningful behavioral changes that are indicative of unexpected and potentially malicious behavior, in particular new network requests and new data accesses.
• ·Script and security impacting HTTP header monitoring:  Distributed Cloud Client-Side Defense regularly inspects scripts and security impacting HTTP headers for unauthorized modifications, alerting if changes are detected to help organizations show compliance with 11.6.1.
• Exfiltration detection: Advanced threat models monitor outbound requests for signs of data exfiltration. If a script tries to send captured form data to a suspicious endpoint, alerts are triggered and organizations can take direct mitigation actions to block network calls and form field reads.
• Enterprise-ready alerts and reports: Security and compliance teams gain rich telemetry on script behavior, domain relationships, and browser-side data flows—ideal for PCI audit trails and forensic investigations.