PCI DSS Compliance

Prove PCI DSS 4.0 Compliance on your Payment Pages

CSP controls what runs on your pages. PCI requires you to prove it. Report URI shows what actually ran, and turns it into audit-ready evidence.

Start 30-Day Free Trial See how it works

Trusted by Global Infrastructure Teams

The Requirements

What PCI DSS 4.0.1 actually requires on your payment pages

These requirements are designed to prevent attacks like Magecart-style card skimming, where unauthorised scripts capture payment data directly in the browser.

Req 6.4.3

Script authorisation, integrity and inventory

Every script executing on your payment pages must be authorised, have its integrity assured, and be inventoried with written justification. You need to know what's there, confirm it's approved, and show that's still true today — not just at the time of your last audit.

Req 11.6.1

Continuous change detection

Any unauthorised modification to your payment page HTTP headers or scripts must be detected and acted on. Not quarterly. Not on a schedule. Continuously.

What Report URI Does

How Report URI meets PCI DSS 6.4.3 and 11.6.1

Report URI captures what actually happens in your users' browsers and turns it into structured, exportable evidence mapped directly to PCI DSS 6.4.3 and 11.6.1.

Script Watch
Req 6.4.3 — script inventory and change detection

Continuous inventory and change detection for every script on your payment pages

The moment something changes, you know about it: a new script loads, an existing one is modified, an unauthorised dependency appears.

Learn more about Script Watch →
CSP Reporting
Req 6.4.3 — script authorisation and enforcement

Real-time data from your users' browsers on what's executing and what's being blocked

Turns your CSP from a passive header into an active enforcement layer, generating a record of violations that your team and your auditors can review.

Learn more about CSP Reporting →
Data Watch
Req 11.6.1 — behavioural exfiltration monitoring

Detects when data starts leaving your payment pages in ways it shouldn't

Tracks destinations, flags anomalies, and gives you a behavioural record of what was moving where. The kind of evidence that answers an auditor's questions before they finish asking them.

Learn more about Data Watch →
Threat Intelligence
Req 11.6.1 — Indicators of Compromise detection

Script Watch tells you when something changed. Threat Intelligence tells you whether what changed is known to be malicious.

Report URI monitors external and internally generated threat feeds, tracking hostile script sources and active skimming infrastructure. When a script on your payment page resolves to a known bad actor, you're alerted before a change becomes a breach.

Learn more about Threat Intelligence →
Policy Watch
Req 11.6.1 — CSP integrity monitoring

Monitors the Content Security Policy deployed on your site and alerts you the moment it changes

Additions, deletions, modifications — if your CSP drifts from what you authorised or is tampered with, you'll know before your auditor does.

Learn more about Policy Watch →
What you need to prove for PCI DSS 4.0.1

Audit-ready evidence, not just monitoring data

Most client-side security tools tell you when something looks wrong. Report URI produces structured, exportable evidence your team — and your auditor — can actually work with.

Script inventory with authorisation status and timestamps

Change logs showing what was modified, when, and what it changed from

CSP policy enforcement history — what was blocked, what was allowed, over what period

Behavioural data on where page data travelled

PCI DSS 6.4.3 doesn't accept ‘we think we're compliant.’

If you're preparing for an audit or just came out of one with a finding, this is the documentation layer that closes the gap between having controls and proving they worked.

Start generating audit-ready evidence
No agent. No proxy. No deployment risk.

Live on your payment pages in minutes

Report URI works through the browser's native Reporting API. Add a reporting endpoint to your existing Content Security Policy header; that's the deployment. No infrastructure changes required.

HTTP response header
Content-Security-Policy: default-src 'self';
  report-uri https://your-subdomain.report-uri.com/r/d/csp/enforce

No agent to install

No traffic routed through a third party

No changes to your infrastructure

No impact on site performance

Site functions normally even if Report URI is unavailable

01

Add the reporting endpoint to your CSP header

One line change to your existing HTTP response headers. No code changes required.

02

Browsers report to Report URI automatically

Your users' browsers send violation data using the native Reporting API — no JS required.

03

See everything in your dashboard

Real-time data on scripts, violations, and changes with exportable audit records.

04

Generate evidence for your auditor

Export structured reports covering all PCI DSS 6.4.3 and 11.6.1 requirements.

Get Started

Start generating audit-ready evidence

One header. No infrastructure changes. Continuous compliance monitoring from day one.

Start 30-Day Free Trial Talk to our team →

30-day free trial  ·  One header  ·  No infrastructure changes  ·  PCI DSS 4.0.1 ready

What it covers. What it doesn't.

Client-side security for PCI DSS compliance

Report URI is the evidence layer for client-side activity in the browser. It shows what actually ran, what changed, and produces the records required for PCI DSS 4.0.1.

Report URI covers Doesn't replace
Script inventory and change detection Penetration testing
CSP enforcement and violation logging Secure code review
Behavioural data exfiltration monitoring WAF or edge security
Audit-ready evidence generation Vulnerability remediation

Vendors who promise to do all of it usually inject their own code into your pages — another attack surface. Report URI doesn't. Nothing runs on your behalf, so nothing can break, slow down, or get compromised.

“Report URI has given us the capability to seamlessly build and roll out new Content Security Policies with a high level of confidence. The unopinionated and technology-agnostic nature of Report URI allowed us to integrate it directly and easily into our existing workflows, and to gain instant visibility into CSP reports. With Report URI's Script Watch product, we can meet our obligations under the new PCI DSS v4.0 requirements, in a way that meaningfully helps us monitor and assure the security of key components of the Paddle platform.”

Colin Barr, Head of InfoSec and IT  ·  Paddle

Read case studies →