eSkimming Security in Practice 

A practical webinar on the evidence QSAs actually ask for, what weak coverage looks like, and how to reduce audit friction for PCI DSS requirements 6.4.3 and 11.6.1 before your next assessment.  

Register Now!
PCI-PPO-Statement

May 7th at 2:00PM

Most organizations are no longer asking what PCI DSS 6.4.3 and 11.6.1 require. They are asking more practical questions: Do we have adequate controls in place for eSkimming prevention? Will our evidence hold up when a QSA reviews it? 

Script ownership is spread across teams. Inventories go stale. Justifications are weak or missing. Monitoring processes look fine until someone asks how often changes are reviewed, what iis in scope, or how unauthorized scripts and header changes are identified.

Teams that rely on spreadsheets, screenshots, or partial controls often find out too late that they have activity, but not evidence. 

In this session, we will translate the requirements found in 6.4.3 and 11.6.1 into the workflows and evidence patterns that tend to stand up in a real assessment. We will cover what assessors expect to see, where organizations usually get questioned, and how to build an approach that is workable for security, compliance, and digital teams. 

What you will learn

  • What “good” looks like for script authorization, integrity, inventory, and justification
  • What evidence tends to satisfy a QSA for PCI DSS 6.4.3
  • What assessors are looking for in payment page and header change monitoring under 11.6.1
  • The common reasons teams get flagged, delayed, or asked for more evidence
  • Where manual processes, DIY approaches, CSP, and SRI tend to fall short in practice
  • How to reduce audit friction while improving client-side security
  • What steps to take now if your current process is incomplete, overly manual, or hard to defend

What you will walk away with

A clearer view of what assessors inspect, what acceptable evidence looks like, and how to tighten your process before the next review cycle. If your team is still relying on screenshots, spreadsheets, and partial visibility, this session will help you see where those gaps show up fast.

Who should attend

  • CISOs and security leaders responsible for payment page security
  • PCI and compliance professionals preparing for assessment review
  • Ecommerce, web, and digital leaders who manage scripts and site changes
  • Teams using a homegrown process and trying to understand whether it will hold up

Register now to see what gets flagged, what passes review, and what to fix before your next assessment.

Source Defense, 2026