PCI Compliance Just Got A Lot Tougher.
We Make It Easier.

DataStealth's PCI Tamper Detection and Protection is a fast, easy, automated solution that solves PCI DSS v4.0 requirements 6.4.3 and 11.6.1 with no code changes, nothing to install, and no user intervention.

One-Pager

It sounds simple, but
nothing could be further from the truth

PCI DSS v4.0 has two new requirements that apply to every organization that is required to be PCI Compliant; no matter what merchant level you are; and no matter what type of SAQ you use (yes - including SAQ-A).

  • Confirm that each script is inventoried
  • Confirm that each script is authorized
  • Assure the integrity of each script
  • Maintain an inventory of all scripts with written justification

Requirement 6.4.3 focuses on the management and integrity verification of payment page scripts but also includes the pages and navigational flows leading up to the payment page. It requires maintaining a comprehensive inventory and conducting periodic validations to ensure script authenticity throughout the entire payment process pathway.

  • Implement a method to detect changes and tampering
  • Implement a method to evaluate the HTTP header and payment page as received by the consumer browser


Requirement 11.6.1 focuses on tamper detection for HTTP headers and the contents of payment pages. This requirement underscores the critical role of browser-level monitoring in web security, especially as web pages increasingly aggregate content from various internet sources.

<scripts> on <scripts> on <scripts>

Website scripts can be useful and convenient, but they can also be really dangerous. Some are easy to understand, and some are not. 

For example, someone in marketing might load a social media analytics script on your website. They may justify it saying that it is required to understand the profile of your visitors. But who is responsible for making sure that script isn’t malicious? Is someone tasked with providing a code review on the social media's analytics page or do you just trust that it doesn't steal data.

Inline Scripts
Scripts within the page

<script type=“text/javascript”> function sayHello() {alert(“Hello World!”)} </script>

1st Party Scripts
Scripts hosted in same domain

<script type="text/javascript" src="/localhost/
javascript.js"></script>

3rd Party Scripts
Scripts from another domain

<script type="text/javascript" src="http://www.google.com/
javascript.js"></script>

...and there is a bigger issue

3rd party scripts are the silent killer. There is a cascading trust issue when you use 3rd party scripts. These 3rd party scripts can be described as a ‘script within a script’. In some cases, the issue cascades, and you find ‘script within a script within a script’, or better summarized as ‘nth party scripts’. In these cases, you cannot see what the actual script at the end of the chain is doing, and many times you cannot add an sub resource integrity (SRI) tag to these 3rd party scripts.

Components and Functionality

Cloud and On-prem

Use the same processes to scan data in all locations.

Distributed Scanning

Use satellite scanning nodes to process data in residency regions or cloud locations.

Read more about our Data Security Platform and core technologies

Explore DSP

Virtually no false positives.

DataStealth is built for enterprise. With fast and easy integration that’s as simple as updating your DNS.

Data Lineage

Classification of not only where sensitive data is located, but also related objects and copies.

API, Demand, or Scheduled

Initiate scans via API integrations, on-demand, or scheduled to run off-hours or on a regular schedule.

what we do

Components and Functionality

Cloud and On-prem

Use the same processes to scan data in all locations.

Protect payment card data.
Reduce PCI audit scope.
Comply with new PCI DSS 4.0 requirements.

Data Lineage

Classification of not only where sensitive data is located, but also related objects and copies.

De-risk non-production environments with high-fidelity substitute data.

Distributed Scanning

Use satellite scanning nodes to process data in residency regions or cloud locations.

API, Demand, or Scheduled

Initiate scans via API integrations, on-demand, or scheduled to run off-hours or on a regular schedule.

DataStealth PCI Tamper Detection and Protection

Ours is an innovative solution specifically designed to meet and exceed the stringent requirements of PCI DSS v4.0, particularly focusing on requirements 6.4.3 and 11.6.1., offering organizations a robust and efficient way to protect against tampering and unauthorized modifications.

100% browser compatibility

Datastealth is not a script-based solution and does not have browser compatibility issues. We support every version of every browser. We are future-proof.

Unlike solutions that may prevent some elements from executing but not from being downloaded, DataStealth ensures comprehensive protection by blocking unauthorized elements from reaching the consumer's browser.

Block threats
before they reach the consumer

With privacy legislation giving customers the right to information and the right to be forgotten, seamless data discovery and classification has never been more important.

Network Protocols and Payloads

Supports all major network protocols and payloads including databases, filestores, and file types

Secure Storage

Fragmented, distributed storage with resiliency and redundancy that’s computationally unbreachable

Scalable Architecture

Scale up and out with microservice-based architecture

Centralized Key Management

Support internal and external key integration, designed in accordance with NIST SP800-57. Includes rigorously encrypted single-vault architecture supporting multi-party authentication.

3rd Party Integration

Find data from structured and unstructured sources, without needing to supply locations to search.

Patented DataStealth tech

Our patents ensure we can provide customers with a robust solution they can’t find anywhere else.

Real-Time Script Cataloging

Each time a payment page is loaded, DataStealth dynamically analyzes its structure to catalogue each script in real-time, ranging from directly embedded scripts to those loaded dynamically from external sources.

Comprehensive Script Integrity Checks

For scripts hosted on the payment page, DataStealth employs a sophisticated validation process each time the page is sent from your web server to the consumer browser.

Real-Time Tamper Detection

Unlike conventional methods that perform periodic checks, DataStealth reviews the HTTP headers and the content of payment pages every time they are sent to a consumer browser.

Dynamic Content Monitoring

During the initial onboarding phase, DataSealth performs a comprehensive review of a client's web applications. This involves a thorough examination of scripts, CSS and third-party elements using a script injection method to identify all external and dynamic content.

Integration with Change Control Systems

DataStealth's Tamper Protection seamlessly integrates with clients' change control systems, ensuring that tamper alerts align with internal protocols and compliance.

Traffic Management

We establish a process in advance with our clients, allowing them to select their preferred level of protection against unauthorized changes. This process can range from blocking traffic on payment pages when a tamper alert is received, to simply notifying a designated contact while keeping the page active.

Pre-Approved Change Windows

When updates to the payment pages are anticipated, DataStealth coordinates with clients to inform them about the timing of these changes. This allows us to temporarily disable alerts and notifications during the update process, ensuring no false alarms are triggered. After the updates are completed, we proceed to review the changes.

Ready to see it in action?