If your organization accepts credit cards online, you likely know about PCI compliance. You also may be aware of PCI DSS 4.0, which introduces new requirements that must be met by March 31, 2025. A web application firewall (WAF) with client-side protection is an excellent solution for meeting the web application requirements, particularly PCI DSS 4.0 Requirements 6.4.2, 6.4.3, and 11.6.1.

Why is the PCI Security Standards Council (SSC) making these recommendations? And why is Fortra Managed WAF ideal for addressing these new PCI requirements?

What Are PCI DSS 4.0’s Web App Requirements?

PCI DSS documents are free and available online. PCI DSS 4.0 includes three requirements that can be addressed by a WAF with client-side protection features:

  • Requirements 6.4.2 explicitly require a WAF be used to continually detect and prevent web-based attacks. As of March 31, 2025, WAFs will no longer be optional and become a required element for PCI merchants.
  • Requirement 6.4.3 requires all page scripts executed by the client browser be authorized by the PCI merchant. The PCI merchant is also responsible for assuring the integrity of all page scripts and maintaining an inventory of all scripts.
  • Requirement 11.6.1 requires the PCI merchant to deploy a tamper-detection mechanism for the HTTP headers and contents of payment pages sent to client browsers.

As you can see from the above PCI DSS Requirements, all PCI merchants must have a WAF with client-side protection features by March 31, 2025, to remain compliant.

What’s Behind the New PCI DSS Requirements?

Why did the PCI Security Standard Council mandate these new Requirements? No, it’s not because WAF vendors took them out to sushi dinners.

The main culprit is Magecart (or web skimming) attacks that compromised the credit card and personal information of millions of customers and end users, resulting in hundreds of millions of dollars in credit card costs and losses for financial institutions, as well as fines for PCI merchants. Despite the increasing sophistication of these attacks, Magecart remains a significant threat to all online businesses.

What Is a Magecart Attack & How Does It Work?

Magecart

You’re probably familiar with credit card skimmers at the gas station pump. Criminals replace credit card readers with skimmers at the gas pump. Unsuspecting customers swipe their credit cards through the skimmers, and the criminals collect the credit card information.

Magecart attacks work in a similar fashion. Criminal attackers hack a PCI merchant’s servers, third-party component sources, or even other webpage sources like content delivery network (CDNs) and cloud storage (AWS S3 buckets or Azure Blob Storage).  The attackers install software skimmers into page scripts (JavaScript) or other active content. Client browsers unwittingly load the compromised content, and execute the software skimmer, sending credit card information to the attacker’s drop server:

Magecart

Magecart attacks are stealthy by design. They do not disrupt the normal function of the compromised payment pages. Consequently, they often remain undetected for days or weeks, all the while skimming customer credit card information.

As you can see, when successful, these attacks can get expensive quickly. A high-traffic website can easily leak hundreds of thousands of credit card details in a matter of days.

How does Fortra Managed WAF Defend Against Magecart & Other Client-Side Attacks?

Fortra Managed WAF provides two key modules to address client-side attacks:

1. Page Script Integrity module: This automatically identifies all scripts (JavaScripts) in protected URLs (at a minimum, the payment processing pages). Once identified, the module provides the mechanism to explicitly authorize individual scripts for execution on the client browser, and integrity check to assure the integrity of each script. Fortra Managed WAF’s Page Script Integrity module directly addresses PCI Requirement 6.4.3.

The Page Script Integrity module supports both inline and external scripts. Most other client-side protection solutions on the market force you to convert inline scripts to external scripts. Fortra Managed WAF manages inline scripts without modifications. No need to create more work for your development teams.

2. Content Security Policy module: Automatically identifies active content on protected URLs (at a minimum, the payment processing pages). Once identified, the module automatically crafts a W3C standard Content-Security-Policy, which provides a mechanism to approve content and notification of tempering. The tempering-detection specifically addresses PCI Requirement 11.6.1.

But Fortra Managed WAF’s Content Security Policy module takes the protection one step beyond PCI Requirement 11.6.1. Our WAF enables PCI merchants to not just detect tempering, but to immediately stop browsers from executing unapproved content or content that’s been tempered with.

With both Page Script Integrity and Content Security Policy enabled on payment pages, the Fortra Managed WAF meets and exceeds all WAF PCI Requirements (6.4.2, 6.4.3, and 11.6.1) and virtually eliminates all Magecart and XSS attacks.

Why Fortra Managed WAF vs. the Competition?

Three reasons: Fully managed service, first-party support, and value.

Fully managed service

As of March 31, 2025, PCI DSS 4.0 sections 6.4.2, 6.4.3, and 11.6.1 will no longer be best practices but become mandatory requirements. This means PCI merchants must continuously maintain and approve the inventory of contents and scripts on their payment pages to remain PCI compliant. The critical takeaway is ALWAYS.

Managing a WAF internally means the merchant must retain the expertise to configure and operate it. If the sole WAF technician leaves, the merchant risks falling out of compliance. A fully managed WAF service ensures PCI compliance without the need for a large IT staff, eliminating the risk of non-compliance due to employee turnover.

What happens when a PCI merchant manages a WAF themselves? The PCI merchant takes on the responsibility to maintain the expertise to configure and operate a WAF. So, what happens when the one WAF technician decides to leave?

First-party support

Practically every WAF vendor advertises a “managed” service. What’s the difference?

For most WAF vendors, managed service is not their core business.

With CDNs, their goal is to sell CDN and hosting services; WAF is already a sideline business. CDNs are not in the business of providing managed services.

For appliance/hardware developers, their goal is to sell more boxes.

Most of these WAF vendors refer their managed service offerings to third parties, such as partners or resellers. The WAF technically may be managed, but by a third party who only has indirect access to the WAF’s product development process.

In contrast, Fortra Managed WAF has always been a managed service offering. You can’t purchase it without the comprehensive management component. Every individual involved — from deployment engineers to security analysts and developers — is part of our team. Our WAF engineers who oversee the managed service attend weekly meetings with the Fortra WAF developers. This tight-knit team ensures the entire group has a say in shaping the product roadmap, driven by customer input. That means if a customer’s requirements cannot be met with our existing WAF product, there’s a direct pipeline to Fortra’s WAF development team to address these gaps.

Value

Client-side protection is a standard part of the Fortra Managed WAF subscription. There’s no external component to manage, no extra cost. The same team that manages the regular WAF policies manages the client-side protection.

Unlike most WAF vendors, who treat client-side protection as a separate product or tack on extra fees, we streamline the process. You won’t face additional costs or the hassle of managing another tool — our solution integrates seamlessly, offering comprehensive protection from the start.

With our truly full managed WAF solution, we handle the client-side protection configuration work for you. All you do is authorize the content. All the managed service is just part of the regular license.

As a fully managed service, Fortra Managed WAF takes the worry out of PCI compliance for merchants, eliminating the need for extra staffing. Being the first-party vendor managing the WAF means the people who manage the WAF has direct access to those who develop it. Plus, with the standard Fortra Managed WAF subscription, you’ll have everything you need included, with no hidden costs or extra modules to configure.

Ready to see Fortra Managed WAF in action? Schedule a demo today.

Additional Resources:

Overcoming PCI DDS Compliance Challenges | eBook

PCI DSS 4.0: Understanding the Expanded Role of Web Application Firewalls | Blog

Understanding PCI ASV: A Crucial Component in Securing Payment Card Data | Blog

Samuel Lam
About the Author
Samuel Lam
Samuel Lam is a Principal Implementation Engineer at Fortra's Alert Logic. He has been with the organization since 2014 and has architected/deployed thousands of WAFs just about everywhere, including AWS, Microsoft Azure, Google Cloud, VMWare, and a few basements that are too secret for him to visit.

Related Post

Ready to protect your company with Alert Logic MDR?