PCI DSS 4.0 Requirement 6.4.3 mandates that all payment page scripts — including third-party scripts loaded from CDNs, analytics providers, and tag managers — must be inventoried, justified, and have their integrity verified.
What Requirement 6.4.3 Mandates
The requirement has three distinct components: an inventory of all scripts on payment pages, an authorization mechanism confirming each script is needed, and integrity verification preventing unauthorized modification.
// Scope Warning
If your payment page loads a tag manager (Google Tag Manager, Tealium, etc.), every script injected by that tag manager is in scope. You cannot disclaim responsibility for scripts loaded through intermediaries you control.
Implementing Subresource Integrity
For scripts loaded from CDNs, Subresource Integrity (SRI) provides cryptographic verification: the browser refuses to execute any script whose hash doesn't match the declared integrity attribute.