Continuous page scanning
Real-browser scans via Playwright capture every script, iframe, redirect, and HTTP header, including dynamically injected content that static analysis can miss.
Evidence-based PCI DSS monitoring for merchants. Track every script, header, iframe, and checkout-page change — then generate audit-ready reports your QSA can review with confidence.
New third-party script found on checkout/payment. Review required before baseline approval.
Script inventory, header baseline, scan screenshot, approval notes, and tamper-detection history bundled for review.
Capabilities
Real-browser scans via Playwright capture every script, iframe, redirect, and HTTP header, including dynamically injected content that static analysis can miss.
Track first- and third-party scripts with SHA-256 hashing. Manage approval status, business justification, technical justification, and reviewer notes.
Diff every scan against the approved baseline. New scripts, hash changes, missing headers, and unknown domains are severity-classified.
Capture CSP, HSTS, X-Frame-Options, and other security-impacting headers on every scan to support tamper-detection evidence.
Export 6.4.3 script-inventory reports and 11.6.1 tamper-detection evidence with full approval and scan history.
Maintain an approved list of vendors and third-party domains. Unknown or unexpected sources are surfaced immediately for investigation and documented resolution.
How it works
Add payment pages by URL, environment, and risk rating. Group multi-step checkout flows with parent-child relationships.
Playwright loads each page as a real user would, capturing scripts, headers, screenshots, and redirect chains.
Review the first scan, authorize scripts and header configurations, and lock the approved baseline.
Subsequent scans diff against the baseline. Unauthorized changes create alerts and review items.
Export reports with scan evidence, approval history, and tamper-detection records your QSA can rely on.
Evidence outputs
Package the evidence needed for PCI DSS review: page scans, script authorization records, security header baselines, tamper-detection events, screenshots, and reviewer notes.
Important: This tool provides evidence and monitoring to support PCI DSS compliance. It does not guarantee PCI compliance. Final acceptance rests with the merchant's QSA, acquirer, and payment brand.
Get a clearer view of what is changing on your payment pages and turn monitoring activity into structured compliance evidence.