The CSI Deep Scan report includes: a risk-level executive summary, full scan metrics, PCI DSS 4.0.1 compliance status for Requirements 6.4.3 and 11.6.1, a complete script findings breakdown by severity, browser security layer analysis, transport layer and TLS assessment, advanced Magecart-pattern threat analysis, a full third-party vendor exposure inventory, and prioritized remediation recommendations — all delivered as a confidential PDF to your email, automatically, upon scan completion.
When you run a free PCI DSS scan on your homepage, you get a surface-level picture. It's useful — but the free scan only covers your public-facing pages and doesn't touch the pages that actually matter for PCI DSS 4.0.1 compliance.
The CSI Deep Scan goes further. It covers your checkout, cart, login, account, and payment pages — the exact pages that 6.4.3 and 11.6.1 are written around — and produces a 10-page confidential PDF report with evidence-based findings you can take directly to your development team, hosting provider, or QSA.
Here's a complete walkthrough of every section in the report.
Cover Page & Risk Level
The report opens with your domain, scan date, unique scan ID, and a single, unambiguous risk determination: CLEAN, LOW, MODERATE, HIGH, or CRITICAL. No interpretation required. You know immediately where you stand.
The cover also displays your top-line metrics at a glance — pages analyzed, total scripts detected, total findings, critical findings, high findings, and whether a Content Security Policy is present. For most merchants seeing this for the first time, that script count alone is a wake-up call.
Scan Summary Table
Page two is your complete scan data table — every metric from the assessment in one place. This includes your target domain, scan date, unique scan ID, scan mode, overall risk level, pages analyzed, unique scripts detected, inline scripts, form targets, iframe origins, total findings, and a full breakdown by severity category.
This section also contains the PCI DSS 4.0.1 Compliance Status block — a plain-language determination for each relevant requirement:
The report states clearly whether third-party scripts on your scanned pages are executing without Subresource Integrity controls — and how many. This is the mandatory control that became enforceable on March 31, 2025. If scripts are loading without SRI or equivalent integrity enforcement, you have a documented finding against Requirement 6.4.3.
The report documents whether a Content Security Policy with a script-src directive is present on your scanned pages. The absence of CSP is the most common finding across all scans — and it's a direct signal against Requirement 11.6.1, which requires a tamper-detection mechanism for payment page scripts and headers.
The report flags whether a formal authorized-script register can be confirmed. If third-party scripts are present with no evidenced inventory or documented business justification, this requirement receives an "Attention Advised" status.
Script Findings Breakdown
This section lists every unique script finding across all scanned pages — each distinct script or misconfiguration counted once, regardless of how many pages reference it. Findings are categorized by severity:
A dynamically injected third-party script executing with no integrity hash. The highest-risk finding category — these are the scripts Magecart-style attackers compromise to inject skimmers.
A statically referenced external script with no integrity attribute. Lower risk than dynamic injection but still a direct gap against Requirement 6.4.3.
No Content Security Policy controlling which scripts are permitted to execute. Every page missing a CSP receives this finding — it's the single most common result across all scanned domains.
HSTS, Permissions-Policy, and similar secondary security headers that are missing or misconfigured. Lower severity but still documented as evidence for your QSA review.
Browser Security Layer Analysis
This section goes beyond scripts and headers to document the full browser-layer security state of your scanned pages. It covers three areas:
Every cookie present on your scanned pages is listed with its Secure, HttpOnly, and SameSite attributes. Cookies missing the Secure flag can be transmitted over unencrypted connections. Cookies missing HttpOnly can be accessed by JavaScript — including malicious injected scripts. Session cookies with either flag missing receive a specific finding.
The report identifies every inline event handler (onclick, onsubmit, oninput) present in the HTML of scanned pages. Inline handlers on form elements — especially payment forms — are a documented formjacking attack vector under PCI DSS 6.4.3. These are flagged with the page, element type, and handler name.
Documents whether HTTP traffic redirects to HTTPS, whether HSTS is present and configured, whether HSTS preloading is active, and the max-age value. HSTS absent on an HTTPS response is a specific finding — browsers on first visit may remain vulnerable to protocol downgrade attacks.
Transport Layer & TLS Assessment
Your report includes a full transport layer assessment covering TLS protocol support, certificate validation, and known vulnerability checks. This section documents:
- TLS protocol support — SSLv3, TLS 1.0, TLS 1.1, TLS 1.2, TLS 1.3 — each listed as supported or not supported with a compliance assessment. TLS 1.0 and 1.1 are prohibited under PCI DSS 4.0.1.
- Certificate validation — Valid, hostname match, self-signed status, and chain completeness all confirmed.
- Known vulnerability checks — Heartbleed, CCS Injection, ROBOT Attack, and Basic Auth over HTTP — each tested and documented.
- PCI ASV compliance determination — An attestation of external vulnerability scan results per PCI ASV Program Guide v4.0, including overall pass/fail status for transport-layer findings.
Advanced Threat Analysis
This is where the CSI Deep Scan goes significantly beyond a standard compliance checklist. The advanced threat analysis section identifies the specific attack patterns used in real Magecart compromises — not just whether scripts are present, but what those scripts are doing.
The report identifies every third-party script that has attached an event listener to a form input — keyup, keydown, input events on fields where customers type sensitive data. This is the exact mechanism modern web skimmers use to exfiltrate card numbers without ever touching the payment processor's code. Each instance is documented with the page URL, the script origin, the field targeted, and the event type.
Documents every third-party destination receiving data from your scanned pages — the host, the HTTP method, the page it originates from, and the severity. Any of these channels can carry form contents off-site depending on how the third-party script is configured. This gives you a complete map of where your customers' data is potentially flowing.
Documents whether a Permissions-Policy header controls which browser APIs — Payment Request API, camera, microphone, geolocation — third-party iframes can access. Missing or permissive policies expose these capabilities to any embedded third party on the page.
Third-Party Vendor Exposure Inventory
Every third-party vendor detected across your scanned pages is listed in a clean table — vendor name, domains detected, pages present on, and whether SRI integrity controls are in place. This is the foundation of the script inventory PCI DSS 4.0.1 Requirement 6.4.3 requires you to maintain.
For most merchants, seeing this table for the first time is the moment they understand why PCI DSS 4.0.1 changed. A typical e-commerce site will show 10 to 20 distinct vendor origins — analytics, advertising, chat, personalization, payment widgets — none of them with SRI controls, none of them with documented business justification, and all of them executing on the checkout page.
Strategic Recommendations
The final section of the report gives you a prioritized remediation roadmap — not generic advice, but specific actions tied to specific findings, organized by timeline:
The highest-severity gaps are addressed first — deploying SRI controls on payment page scripts, implementing a Content Security Policy with script-src enforcement. Each recommendation is written in plain language with specific implementation guidance your development team can act on directly.
Establishing a formal authorized script inventory, isolating payment pages from marketing script execution, implementing a third-party vendor risk assessment process. These recommendations address the systemic gaps that create recurring findings — fixing root causes, not just symptoms.
PCI DSS 4.0.1 is built around continuous control effectiveness — not annual checkbox audits. The ongoing section recommends automated change detection for payment page scripts and headers, continuous compliance monitoring infrastructure, and how to demonstrate security posture to customers, auditors, and acquiring banks in real time.
How the Report Is Delivered
After payment, you provide your domain and email at checkout. The scan runs automatically against your checkout, cart, login, account, and payment pages. The PDF report is generated and delivered to your email — no login required, no dashboard to check, no waiting on a human to manually process your order.
The report is confidential, watermarked with your unique scan ID, and intended for your internal security and compliance team and any designated QSA or advisor. It is not shared with third parties.
One payment. One scan. One report. In your inbox.
Get your Deep Scan report — $79, delivered to your inbox.
Full PCI DSS 4.0.1 client-side assessment of your checkout, cart, login, and payment pages. Evidence-based findings. PDF delivered automatically upon scan completion.
Order Deep Scan — $79 →