REPAY Holdings Corporation (NASDAQ: RPAY) is a leading payments technology company that delivers secure, frictionless payment solutions across multiple industries. Our platform supports credit and debit cards, ACH, virtual cards, and digital wallets, enabling businesses to streamline accounts receivable and accounts payable processes. With deep expertise in consumer finance, automotive lending, healthcare, mortgage servicing, and B2B, REPAY helps organizations digitize workflows, improve cash flow, and enhance customer experiences.
REPAY operates in highly regulated industries where security and compliance are nonnegotiable. PCI DSS v4.0 requirements 6.4.3 and 11.6.1 require organizations to manage all payment page scripts executed in the consumer’s browser by confirming authorization, ensuring integrity, and maintaining a documented inventory. In addition, organizations must implement real-time monitoring and tamper detection to protect against unauthorized changes. These controls address the growing risk of client-side attacks, such as “Magecart” and “formjacking”, which exploit vulnerabilities in third-party scripts or inject malicious code into payment pages. For REPAY, the challenge was to meet these new compliance standards while maintaining seamless user experiences across a diverse portfolio of payment solutions.
To comply with PCI DSS v4.0 requirements 6.4.3 and 11.6.1, REPAY implemented Report URI to monitor and manage all browser-executed scripts on payment pages. By collecting and analyzing Content Security Policy violation reports, the security team can verify script integrity, confirm authorization, maintain a documented inventory, and detect unauthorized changes in real time. This proactive approach ensures compliance with PCI DSS while providing actionable insights into misconfigurations and emerging threats, enabling REPAY to fine-tune policies and maintain a secure environment across all REPAY platforms.
By integrating Report URI into its security workflow, REPAY achieved full compliance with PCI DSS v4.0 requirements. The team now benefits from real-time visibility into client-side script activity, enabling rapid detection of unauthorized changes and reducing the risk of data compromise from attacks like Magecart. This enhanced monitoring not only ensures compliance but also improves operational efficiency by minimizing false positives and delivering actionable alerts. As a result, REPAY provides secure payment experiences without compromising performance or user trust.
Getting started with Report URI is easy, and we can quickly audit all of your existing JavaScript Dependencies and Data Exfiltration endpoints to see if they are all expected.
Once a baseline is established, our Script Watch and Data Watch products will monitor and alert you to any changes for you to investigate quickly.
In addition to this, we have a selection of features and tools detailed below that will help you get started with CSP and work through to enforcing a policy across your whole site, but please reach out to sales@report-uri.com if you need more information.
Script Watch will monitor all JavaScript dependencies across your entire site and immediately notify you of any changes. A new JavaScript dependency could be the start of a Magecart attack.
Because Script Watch leverages the browser native Content Security Policy, there is no code or agent to deploy and running in the browser means we analyse your site in real-time as your users are browsing. We don't have the same limitations as external scanning services such as authentication or pay walls, geo-sensitive content or an attacker potentially serving safe content to the crawler.
Data Watch will monitor all of the locations that your webpages are sending data to. If your website starts sending data to a new location, it could be the start of a Magecart attack.
With Script Watch and Data Watch combined, you can monitor for clear indicators that your site has been compromised. Attackers will always want to inject their hostile JavaScript, and they'll always want to exfiltrate their stolen data.
We often find that creating a CSP is the first difficult step that organisations face. Having a complete list of all resource dependencies across your entire site like images, scripts or styles, from both 1st-party and 3rd-party locations, is tough to achieve.
The CSP Wizard was created to solve this problem, and in seven days or less, it can you give a complete list of all resources used across your entire site.
With the list of all resources you use on your site, and our easy to use tool, creating a viable Content Security Policy is easier than ever with just a few clicks.
All Content Security Policies will need to be tweaked at some point. New resources may be added to the site or old resources removed, and the policy needs to be updated to reflect those changes and kept up to date.
You can import your existing policy into the CSP Builder and use our fully featured tool to make any changes that you require right there in the UI. When you're done, hit Generate, and the CSP Builder will provide you with your new, updated policy.
Script Watch and Data Watch will allow you to rapidly detect and respond to a Magecart attack and combined, that capability puts you ahead of the field. If you want to take it a step further, Content Security Policy can mitigate a Magecart attack and stop it from even happening.
Deploying an effective Content Security Policy can be difficult, but our CSP Reporting allows you to gather feedback and safely test a policy before deployment. Once deployed, an effective Content Security Policy will block a Magecart attack and stop the hostile JavaScript from even running.
We subscribe to various feeds of Threat Intelligence data, along with managing our own internally generated feeds, to keep apprised of the latest threats that exist online.
Using this Threat Intelligence Data, we can better analyse the sources of JavaScript on your website and detect malicious activity sooner.