Common questions,
straight answers.

A Free PCI DSS 4.0.1 Client-Side Security Scan inspects your website's browser layer for third-party scripts, security header gaps, TLS configuration, and exposure indicators relevant to Requirements 6.4.3 and 11.6.1 — the mandatory payment-page controls that became fully enforceable on March 31, 2025. Results appear instantly with no account required.

The free scan checks five things on your domain's publicly accessible homepage:

HTTPS enforcement — Is your site accessible only over a secure connection?
TLS validity — Is your TLS certificate valid and correctly configured?
External script count — How many third-party JavaScript files are loading?
Tag manager detection — Is Google Tag Manager, Tealium, or similar high-risk tooling present?
Security headers — Are Content-Security-Policy, HSTS, X-Frame-Options, X-Content-Type-Options, and Referrer-Policy present and configured?

Each check maps directly to PCI DSS 4.0.1 browser-layer requirements. Your overall risk rating — LOW, MODERATE, HIGH, or CRITICAL — is calculated from the combined findings.

Typically 5–15 seconds. The scanner connects to your domain, inspects TLS and HTTPS configuration, analyzes HTTP security headers, enumerates third-party scripts, and calculates your risk rating — all in a single automated pass. Results appear directly on the page when complete.

The free scan is designed to give you an immediate, no-friction baseline. Your homepage is always publicly accessible and gives a useful first signal on your browser-layer security posture.

However, PCI DSS 4.0.1 Requirements 6.4.3 and 11.6.1 specifically target your payment pages, checkout flows, cart pages, and login pages — not your homepage. A clean homepage result does not confirm compliance. That's exactly what the Deep Scan is for.

The free scanner checks publicly accessible pages — the same view any browser would get without logging in. You can scan any publicly reachable domain. However, you should only run scans on domains you own or have explicit authorization to test. Scanning third-party domains without permission may violate their terms of service or applicable laws.

PCI DSS (Payment Card Industry Data Security Standard) is the security framework required by Visa, Mastercard, American Express, Discover, and JCB for any business that accepts, processes, or stores payment card data. Version 4.0 — updated to 4.0.1 — is the current mandatory standard.

Version 4.0 introduced significantly stronger requirements around browser-layer security. If your website loads third-party JavaScript on any page where customers enter payment details, you are directly in scope for Requirements 6.4.3 and 11.6.1, which became fully enforceable on March 31, 2025.

These are the two most significant new requirements in PCI DSS 4.0.1 for e-commerce merchants:

Requirement 6.4.3 — Script Inventory and Authorization. Every JavaScript file loading on your payment or checkout pages must be inventoried, have a documented business justification, and have a method to verify its integrity. This directly targets web skimming attacks where malicious scripts silently steal card data from the browser.

Requirement 11.6.1 — Tamper Detection. You must have a mechanism that detects and alerts on unauthorized changes to payment page scripts and HTTP security headers. This must operate in near real-time for script-level changes.

Both requirements have been mandatory with no grace period since March 31, 2025.

Not for Requirements 6.4.3 and 11.6.1. Shopify, WooCommerce, Magento, and similar platforms handle server-side payment infrastructure — but your checkout page is a browser experience. It loads your own JavaScript, plus Google Tag Manager, analytics tools, chat widgets, pixel trackers, and other third-party scripts.

Every script that loads in the customer's browser during checkout is in scope for Requirement 6.4.3 — regardless of where payment processing happens on the backend. A platform can be fully PCI-compliant on its servers while your storefront is failing a critical browser-side requirement.

Non-compliance carries real financial and operational risk — even before a breach occurs:

Fines: Card brands can levy $5,000–$500,000 per incident for non-compliant merchants involved in a data breach.
Loss of processing: Your acquiring bank can suspend or terminate your ability to accept card payments.
Breach liability: If a breach occurs while non-compliant, you bear full liability for forensic investigation costs, card reissuance fees, and customer claims.
Forensic audit: Post-breach, a mandatory PFI (PCI Forensic Investigator) engagement typically costs $20,000–$100,000 or more.
Increased fees: Processors can raise interchange rates for merchants who fail to validate annual compliance.

Magecart is an umbrella term for criminal groups that inject malicious JavaScript into e-commerce checkout pages to silently capture card numbers as customers type them — a technique called web skimming or formjacking. Victims have included British Airways, Ticketmaster, Newegg, and thousands of smaller merchants.

PCI DSS 4.0.1 Requirements 6.4.3 and 11.6.1 were introduced specifically to address this threat. By requiring merchants to inventory every script, verify its integrity, and monitor for unauthorized changes, the standard aims to detect and prevent web skimming at the browser layer.

ClientSideIntel's scanner checks for exactly the indicators that would enable or mask a Magecart-style attack on your checkout pages.

The Deep Scan is a comprehensive client-side security assessment delivered as a PDF report to your email. It covers:

Multi-page scanning — checkout, cart, login, account, and payment flows — not just the homepage
Full script inventory — every inline and external JavaScript file detected across scanned pages
Third-party JavaScript risk analysis — risk classification for each external dependency
Security header deep review — CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy
PCI DSS 4.0.1 gap indicators — specific findings mapped to Requirements 6.4.3, 11.6.1, 4.2.1, and 6.3.3
Evidence-based findings — exact technical evidence for each finding, suitable for QSA review
Plain-English risk summary — what it means and what to do next
PDF report delivered by email — same-day delivery, no subscription required

Order directly at our secure checkout — enter your domain name in the order form and we'll cover the standard set of pages: checkout, cart, login, account, and payment flows. Your PDF report is delivered to your email the same day. You can also reach us at hello@clientsideintel.com with any questions before ordering.

Same-day delivery in most cases. Once your order is confirmed, the scan runs automatically and your PDF report is generated and emailed to you. If you place your order during business hours, expect delivery within a few hours. Orders placed evenings or weekends are typically delivered the next morning.

Yes, and we encourage it. The Deep Scan report is structured to be useful as pre-assessment documentation when working with a Qualified Security Assessor. The evidence-based findings format — with exact URLs, script sources, header values, and requirement mappings — gives your QSA a clear picture of your client-side exposure before a formal engagement begins.

One-time, per domain. There is no subscription, no auto-renewal, and no ongoing commitment. Many customers order a follow-up scan after remediating findings to confirm their fixes are reflected — that would be a separate $79 order. There is no limit on how many domains or rescans you can order.

Your risk rating reflects the severity and combination of findings detected on your scanned page:

LOW — No significant browser-layer risk indicators detected. Security headers are present, TLS is valid, and no high-risk third-party scripts were flagged. Still worth reviewing with a Deep Scan if you accept payments.

MODERATE — Some security headers are missing or misconfigured, or third-party script exposure warrants review. These gaps may be relevant to your next compliance review.

HIGH — Multiple security header gaps and/or significant third-party script exposure detected. These findings are directly relevant to PCI DSS 4.0.1 browser-layer controls and should be addressed.

CRITICAL — Significant browser-layer exposure indicators detected. This domain should be reviewed against Requirements 6.4.3 and 11.6.1 promptly. A HIGH or CRITICAL rating on your homepage often signals more severe findings on checkout and payment pages.

No. A clean homepage result is a good sign but not a compliance confirmation. PCI DSS 4.0.1 Requirements 6.4.3 and 11.6.1 specifically target your payment pages, checkout flows, cart pages, and login pages — all of which typically load more third-party scripts and have different security header configurations than your homepage.

If you accept payments online, the only way to know your actual compliance posture is to scan those payment-sensitive pages directly — which is exactly what the Deep Scan covers.

Start by reviewing each finding against the description provided. For most gaps — missing headers, weak CSP, external scripts without SRI — your development team or hosting provider can implement fixes. Common next steps:

1. Share the findings with your developer or DevOps team
2. Prioritize missing security headers — most can be added at the server or CDN level in under an hour
3. Begin building your script inventory for any pages where customers enter payment data
4. Order a Deep Scan to get full coverage of your checkout and payment pages
5. Share the Deep Scan report with your QSA if you're approaching a formal compliance review

Tag managers are flagged because they are high-risk multipliers under PCI DSS 4.0.1. GTM and similar tools don't just load one script — they load any script that has been configured inside them, including scripts that may have been added, modified, or compromised without your knowledge.

A tag manager on a payment page means the script inventory problem gets significantly more complex: you need to document and authorize not just the tag manager itself, but every tag and script it fires on your checkout pages.

Detection of a tag manager is not an automatic failure — but it does require careful review of what's being loaded through it.

No. ClientSideIntel scans only publicly accessible pages — the same pages any visitor would see in their browser without logging in. No login credentials, private systems, backend access, admin panels, or customer data is ever accessed, touched, or stored. The scanner operates entirely at the public browser layer.

Free scan results are not permanently stored or tied to an account — there is no account to create. Scan data is used to generate your results and calculate your risk rating. Deep Scan reports are retained only long enough to deliver your PDF by email. We do not build persistent profiles of scanned domains or sell scan data to third parties.

No. The scan makes a small number of standard HTTP requests to your publicly accessible pages — the same type of requests a regular browser or search engine bot makes. It does not place load on your server, interact with your database, or affect any visitor's experience. Most web servers process these requests without any noticeable impact.

No. ClientSideIntel is not a Qualified Security Assessor, auditor, or PCI certification provider. Our scans identify publicly observable client-side security indicators and PCI DSS 4.0.1 readiness signals. We help you see your browser-layer exposure clearly so you can take action.

Final compliance determinations — including your formal SAQ (Self-Assessment Questionnaire) or ROC (Report on Compliance) — must be completed with your QSA, compliance team, or payment processor. ClientSideIntel is a tool for visibility, not certification.

ClientSideIntel is built for anyone responsible for a website that handles customer data, processes payments, or needs to demonstrate PCI DSS 4.0.1 browser-layer readiness:

E-commerce merchants — Shopify, WooCommerce, Magento, custom stores — who need to understand their checkout page exposure
SaaS teams — who have login and billing pages in scope for client-side requirements
Agencies — managing compliance posture across multiple client websites
Compliance & security teams — who need browser-layer evidence to support QSA reviews or internal audits
Developers — who want to understand what's loading on their payment pages before an assessor does

Email us any time at hello@clientsideintel.com. Whether you have a question about your scan results, want to order a Deep Scan, or need help understanding a finding — we're here. We typically respond within a few hours during business hours.