ClientSideIntel Blog

PCI DSS 4.0.1 compliance.
Plain English.

Insights on client-side security, payment page risk, browser-layer threats, and what the new mandatory requirements actually mean for your business.

Featured article
checkout.store.com — PCI Deep Scan
CRITICAL Script inventory missing 6.4.3
CRITICAL No tamper detection 11.6.1
HIGH HSTS header absent 4.2.1
MEDIUM Weak CSP directive 6.4.3
Compliance May 2026 · 8 min read

PCI DSS 4.0.1 Is Here. Most Online Stores Don't Know They're Already Violating It.

A plain-English guide to the biggest payment security overhaul in two decades — what changed, when it became mandatory on March 31 2025, and what you risk if your checkout page isn't compliant.

Read the article →
All articles
Compliance

PCI DSS 4.0.1 Is Here. Most Online Stores Don't Know They're Already Violating It.

What changed, when it became mandatory, and the real cost of non-compliance — explained for anyone who runs an online store.

Read article → Deep Dive

What Is Req 6.4.3 and Why Is It Shutting Down Merchants?

A deep dive into the script inventory and authorization requirement — what it demands, and how to actually build one.

Read article → Threat Intelligence

How Magecart Works: A Plain-English Breakdown of Web Skimming

The attack that PCI DSS 4.0.1 was built to stop — how it works, who's been hit, and what your checkout page looks like to an attacker.

Read article → Deep Dive

Req 11.6.1: Building a Tamper Detection Mechanism Your QSA Will Accept

Real-time alerting requirements explained — what counts as a compliant mechanism and what doesn't.

Read article → High Risk

Google Tag Manager and PCI DSS 4.0.1: What Every Store Owner Needs to Know

Tag managers are among the highest-risk vectors on checkout pages. Here's why PCI DSS 4.0.1 puts them under a microscope.

Read article → Common Misconceptions

"My Platform Is PCI Compliant" — Why That's Not the Whole Story

Shopify, WooCommerce, Magento — platform compliance and browser-layer compliance are two very different things.

Read article → Tools & Guides

Free PCI Compliance Scan: What It Actually Checks (And What It Misses)

Most free PCI compliance scans check your infrastructure layer — SSL, ports, headers. None of them check the browser layer of your checkout page. Here's the gap that actually matters.

Read article → Deep Dive

What You Get From a CSI Deep Scan — Every Section, Every Finding, Explained

The $79 CSI Deep Scan is a full PCI DSS 4.0.1 client-side security assessment delivered as a PDF. Here's a complete walkthrough of every section in the report before you order.

Read article → Compliance

PCI DSS 4.0.1: What Changed, What Stayed the Same, and What It Means for Your Checkout Page

PCI DSS 4.0 was retired December 31, 2024. 4.0.1 is now the only active standard. Here's the full breakdown — and why Requirements 6.4.3 and 11.6.1 still apply to your checkout exactly as before.

Read article → Case Study

Your Homepage Passed. Your Checkout Didn't.

A national hospitality brand's homepage returned LOW risk on a surface scan. A deep scan of their payment pages returned CRITICAL. Here's the gap PCI DSS 4.0.1 was written to close.

Read article → Research

We Scanned 100,000 E-Commerce Domains for PCI DSS 4.0.1 Client-Side Risk — Here's What We Found

37% of scanned domains showed active browser-layer exposure on payment pages. Full methodology, findings breakdown, and what it means for merchants post-March 2025.

Read article →
Free tool

See your own browser-layer exposure — free.

Run a free PCI DSS 4.0.1 client-side scan on any public domain. Results appear instantly. No account required.

Run a free scan →
100K+ domains scanned · Public pages only · No login required