In recent years, formjacking and Magecart attacks have surged as dominant threats in the e-commerce and digital payments landscape. These client-side attacks silently siphon sensitive data, including credit card numbers, login credentials, and personally identifiable information (PII) directly from users’ browsers, without ever touching the organization’s servers. The attacks bypass traditional perimeter and server-side defenses by injecting malicious JavaScript into third-party scripts or directly into front-end code.
Understanding formjacking and Magecart
Formjacking relies on injecting malicious JavaScript into online forms to capture user inputs at the browser level. It’s often carried out by exploiting vulnerabilities in third-party scripts or content delivery networks (CDNs), making it difficult to detect using server-side security tools.
Magecart is an umbrella term for a set of cybercriminal groups that specialize in web skimming. These cybercriminal groups typically compromise e-commerce sites by injecting JavaScript code that steals payment data during checkout. This stolen data is then exfiltrated to attacker-controlled domains, often obfuscated or hidden beneath legitimate-looking requests.
Both attack types share a common vector: the browser. And their success hinges on how little visibility organizations have into what actually executes client-side.
Enter PCI DSS v4.0.1: Strengthening client-side security
With the release of the Payment Card Industry Data Security Standard (PCI DSS) v4.0.1, the PCI Security Standards Council directly addresses the growing threat of client-side attacks. For the first time, the PCI SSC has included two client-side requirements effective March 31, 2025 to directly address this new attack vector:
Requirement 6.4.3: All payment page scripts that are loaded and executed in the consumer’s browser are managed as follows:
- A method is implemented to confirm that each script is authorized.
- A method is implemented to assure the integrity of each script.
- An inventory of all scripts is maintained with written business or technical justification as to why each is necessary.
Requirement 11.6.1 – A change- and tamper-detection mechanism is deployed as follows:
- To alert personnel to unauthorized modification (including indicators of compromise, changes, additions, and deletions) to the security impacting HTTP headers and the script contents of payment pages as received by the consumer browser.
- The mechanism is configured to evaluate the received HTTP headers and payment pages.
These new mandates recognize a fundamental truth: client-side scripts are now a critical part of the PCI attack surface. Yet for many organizations, meeting these requirements presents operational and technical hurdles, especially given the dynamic nature of JavaScript ecosystems and reliance on third-party services.
Bridging the visibility gap
Traditional web application firewalls (WAFs), security information and event management solutions (SIEMs), and endpoint tools operate on the server or network perimeter. They lack visibility into the final execution environment: the user’s browser. Once malicious code is injected—whether through a compromised tag manager, CDN, or a third-party supply chain attack—server-side tools often miss the breach entirely. This is where F5 Distributed Cloud Client-Side Defensesteps in.
Unlike server-side tools, Distributed Cloud Client-Side Defense operates in the browser itself, providing real-time monitoring, integrity validation, and alerting on malicious behavior as it happens. And we recently updated the service so it’s purpose-built to address the threats outlined in PCI DSS v4.0.1 requirements 6.4.3 and 11.6.1.
F5 Distributed Cloud Client-Side Defense is purpose-built to address the client-side requirements outlined in PCI DSS v4.0.1.
Here’s how it helps:
- Script inventory and authorization: Distributed Cloud Client-Side Defense continuously tracks and maintains an inventory of all scripts executing on payment pages—first-party and third-party. Organizations can establish an allow list of scripts with written justifications and get alerted if new or unauthorized scripts appear, helping to show compliance with 6.4.3.
- Script integrity validation: Distributed Cloud Client-Side Defense validates the integrity of scripts by instrumenting the runtime of the web application to watch for meaningful behavioral changes that are indicative of unexpected and potentially malicious behavior, in particular new network requests and new data accesses.
- ·Script and security impacting HTTP header monitoring: Distributed Cloud Client-Side Defense regularly inspects scripts and security impacting HTTP headers for unauthorized modifications, alerting if changes are detected to help organizations show compliance with 11.6.1.
- Exfiltration detection: Advanced threat models monitor outbound requests for signs of data exfiltration. If a script tries to send captured form data to a suspicious endpoint, alerts are triggered and organizations can take direct mitigation actions to block network calls and form field reads.
- Enterprise-ready alerts and reports: Security and compliance teams gain rich telemetry on script behavior, domain relationships, and browser-side data flows—ideal for PCI audit trails and forensic investigations.
From compliance to resilience
As browser-based threats continue to outpace traditional defenses, simply checking the compliance box isn’t enough. Organizations must adopt security controls that provide visibility into what’s really happening with the end-user experience—while building resilience against future threats. F5 Distributed Cloud Client-Side Defense brings the needed observability, control, and automation to stay ahead of formjacking and Magecart threats—while aligning closely with the new demands of PCI DSS v4.0.1.
To learn more, see our F5 Distributed Cloud Client-Side Defense webpage. And if you’re planning to be at this year’s RSA Conference, be sure to attend our April 29 session, “Stronger Together: A Unified Approach to App Security and Delivery” and visit us in Booth N-4335.
About the Author
Related Blog Posts
F5 accelerates and secures AI inference at scale with NVIDIA Cloud Partner reference architecture
F5’s inclusion within the NVIDIA Cloud Partner (NCP) reference architecture enables secure, high-performance AI infrastructure that scales efficiently to support advanced AI workloads.
F5 Silverline Mitigates Record-Breaking DDoS Attacks
Malicious attacks are increasing in scale and complexity, threatening to overwhelm and breach the internal resources of businesses globally. Often, these attacks combine high-volume traffic with stealthy, low-and-slow, application-targeted attack techniques, powered by either automated botnets or human-driven tools.
F5 Silverline: Our Data Centers are your Data Centers
Customers count on F5 Silverline Managed Security Services to secure their digital assets, and in order for us to deliver a highly dependable service at global scale we host our infrastructure in the most reliable and well-connected locations in the world. And when F5 needs reliable and well-connected locations, we turn to Equinix, a leading provider of digital infrastructure.
Volterra and the Power of the Distributed Cloud (Video)
How can organizations fully harness the power of multi-cloud and edge computing? VPs Mark Weiner and James Feger join the DevCentral team for a video discussion on how F5 and Volterra can help.
Phishing Attacks Soar 220% During COVID-19 Peak as Cybercriminal Opportunism Intensifies
David Warburton, author of the F5 Labs 2020 Phishing and Fraud Report, describes how fraudsters are adapting to the pandemic and maps out the trends ahead in this video, with summary comments.
The Internet of (Increasingly Scary) Things
There is a lot of FUD (Fear, Uncertainty, and Doubt) that gets attached to any emerging technology trend, particularly when it involves vast legions of consumers eager to participate. And while it’s easy enough to shrug off the paranoia that bots...