PCI DSS 6.4.3 & 11.6.1 monitoring

Basket Script compliance, continuously monitored.

Evidence-based PCI DSS monitoring for merchants. Track every script, header, iframe, and checkout-page change — then generate audit-ready reports your QSA can review with confidence.

24/7Scheduled page monitoring and change detection
SHA-256Script hashing with approval history
QSAEvidence packs for compliance review
Live compliance dashboard

Checkout baseline integrity

Healthy
Scripts approved against baseline42/42
Headers present on scan8/8
Unknown domains awaiting review1
Scans1,284
Pages18
Alerts03
Reports12
Change detected

New third-party script found on checkout/payment. Review required before baseline approval.

Audit pack status

Ready
Evidence snapshot generated

Script inventory, header baseline, scan screenshot, approval notes, and tamper-detection history bundled for review.

PCI 6.4.3 PCI 11.6.1

Capabilities

Everything your QSA needs to see, in one secure workspace.

Continuous page scanning

Real-browser scans via Playwright capture every script, iframe, redirect, and HTTP header, including dynamically injected content that static analysis can miss.

Script inventory and authorization

Track first- and third-party scripts with SHA-256 hashing. Manage approval status, business justification, technical justification, and reviewer notes.

Change detection and alerting

Diff every scan against the approved baseline. New scripts, hash changes, missing headers, and unknown domains are severity-classified.

HTTP header monitoring

Capture CSP, HSTS, X-Frame-Options, and other security-impacting headers on every scan to support tamper-detection evidence.

Compliance reports

Export 6.4.3 script-inventory reports and 11.6.1 tamper-detection evidence with full approval and scan history.

Domain and vendor registry

Maintain an approved list of vendors and third-party domains. Unknown or unexpected sources are surfaced immediately for investigation and documented resolution.

How it works

From scan to evidence in a controlled approval workflow.

Register your pages

Add payment pages by URL, environment, and risk rating. Group multi-step checkout flows with parent-child relationships.

Scan with a real browser

Playwright loads each page as a real user would, capturing scripts, headers, screenshots, and redirect chains.

Approve a baseline

Review the first scan, authorize scripts and header configurations, and lock the approved baseline.

Monitor for changes

Subsequent scans diff against the baseline. Unauthorized changes create alerts and review items.

Generate evidence

Export reports with scan evidence, approval history, and tamper-detection records your QSA can rely on.

Evidence outputs

Audit-ready reporting without spreadsheet sprawl.

Package the evidence needed for PCI DSS review: page scans, script authorization records, security header baselines, tamper-detection events, screenshots, and reviewer notes.

Script evidence Header evidence Approval history
QSA evidence pack Export ready
Checkout/payment42 scriptsApproved
CSP baseline8 headersMatched
Vendor registry12 domainsCurrent
Review queue1 itemReview
Last scan evidenceScreenshot + HARStored

Important: This tool provides evidence and monitoring to support PCI DSS compliance. It does not guarantee PCI compliance. Final acceptance rests with the merchant's QSA, acquirer, and payment brand.

Ready to make PCI evidence easier to manage?

Get a clearer view of what is changing on your payment pages and turn monitoring activity into structured compliance evidence.

Get in touch