PCI DSS v4.0 now explicitly requires merchants to control and monitor third-party scripts running on payment pages, closing a long-standing blind spot where analytics, tag managers, and support widgets could exfiltrate card data without detection. A QSA assessment of the Reflectiz platform evaluated how well it addresses these new requirements. Any organisation taking card payments online needs to demonstrate they have visibility and control over client-side scripts or risk failing their next PCI audit.

Security Architect’s Take: Audit every third-party script loaded on your checkout pages and implement a client-side integrity monitoring solution that satisfies PCI DSS v4.0 requirements 6.4.3 and 11.6.1; ensure your CSP headers, Subresource Integrity tags, and a continuous behavioural monitoring tool are all in place before your next QSA assessment.

Original advisory: The Scripts on Your Checkout Page Are Now a PCI DSS Problem

A retrospective account has emerged of a major US telecommunications carrier storing customer credit card data in plaintext during the early 2000s, a practice discovered by an employee on their very first day. This highlights how poor data handling hygiene was commonplace before PCI DSS mandated encryption standards, and serves as a reminder of the long-term reputational and regulatory risks of inadequate data protection. While historical, the story resonates today as organisations continue to misconfigure data storage in cloud environments.

Security Architect’s Take: Use this as a prompt to audit your current data stores — particularly object storage buckets, databases, and logs — for any plaintext storage of sensitive cardholder or PII data. Enforce encryption at rest as a baseline control and implement automated scanning tools such as AWS Macie, Google Cloud DLP, or Microsoft Purview to detect sensitive data exposure before an employee stumbles upon it.

Original advisory: Major US carrier stored credit card info in the clear, employee learned on first day