Shopping Cart Monitor

Monitor your ecommerce site to detect the fastest-growing cyber attack and comply with PCI 6.4.3 & 11.6.1.

Request Demo

Over 25 Years of Compliance Experience

QSA | PFI | ASV | P2PE | SSF | SLC | 3DS | QPA | PCIP | RPO

PCI Qualified Security Assessor logo
HITRUST Authorized CSF Assessor logo
CISSP logo
HCISPP logo
CISA logo
Jump to Section
How it Works
Packages
Features
FAQ
Resources
Why SM
Need to fulfill PCI Req. 6.4.3 and 11.6.1?
Request A Quote

How to comply with PCI DSS 6.4.3 and 11.6.1?

  1. Run a simulation of the checkout process
    Shopping Cart Monitor simulates the checkout process and the behaviors involved on the page.
  2. Inventory Javascript (PCI Req. 6.4.3)
    Any javascript on the page is inventoried and documented in order to meet PCI requirement 6.4.3. Both static and dynamically generated javascripts are analyzed and inventoried. Users have the ability to justify any and all scripts on their site to fully comply with requirement 6.4.3.
  3. Look for modifications (PCI Req. 11.6.1)
    Shopping Cart Monitor runs at regular intervals looking for payment page modifications, meeting PCI 11.6.1 which requires having a change and tamper-detection mechanism in place.

How does Shopping Cart Monitor protect your payment pages?

01

Run a simulation of the checkout process

Shopping Cart Monitor simulates the checkout process and the behaviors involved on the page.

02

Inventory Javascript (PCI Req. 6.4.3)

Any javascript on the page is inventoried and documented in order to meet PCI requirement 6.4.3. Both static and dynamically generated javascripts are analyzed and inventoried. Users have the ability to justify any and all scripts on their site to fully comply with requirement 6.4.3.

03

Look for modifications (PCI Req. 11.6.1)

Shopping Cart Monitor runs at regular intervals looking for payment page modifications, meeting PCI 11.6.1 which requires having a change and tamper-detection mechanism in place.

A business owner is compliant with pci requirements 6.4.3 and 11.6.1
Need to fulfill PCI Req. 6.4.3 and 11.6.1?
request a quote

Packages

Basic

For SMB’s looking to achieve compliance in the most cost effective way
request a quote
Features
  • Portal access
  • 1 payment path supported
  • User-initiated scanning process
  • Fulfills req’s. 6.4.3 & 11.6.1
  • Add-on consultation credits available
  • Partner discounts available

Plus

For businesses that want to achieve compliance with minimal disruption to their workflow
request a quote
Features
  • Portal access
  • 1 payment path supported (option to add on)
  • Automated scanning process
  • Fulfills req's. 6.4.3 & 11.6.1
  • Add-on consultation credits available
  • Partner discounts available
Most Popular

Pro

For businesses invested in having complete awareness and understanding of the threats to their ecommerce site
request a quote
Features
  • Portal access
  • 3 payment paths supported (option to add on)
  • Automated scanning process
  • Fulfills req's. 6.4.3 & 11.6.1
  • Forensic annual baseline assessment
  • 12 annual consultation credits included
  • Partner discounts available

Shopping Cart Monitor Features

No downloads, no installation, no configuration–it just works

Purpose-built by security professionals 

Your ecommerce site is the heart of your business. We offer patented protection designed by professional penetration testers and forensic investigators with ecommerce business owners in mind. 

Shopping Cart Monitor works by:

  • Creating a snapshot of what your checkout process looks like
  • Flagging any abnormal or suspicious scripts that appear during checkout
  • Reporting them directly to you for review
  • Minimizing false positives
  • Causing zero disruptions to your business

Major PCI requirements completed in an instant

PCI requirements 6.4.3 and 11.6.1 require detailed management and monitoring. Shopping Cart Monitor achieves them both.

By inventorying all javascript on your ecommerce site, our tool meets requirement 6.4.3, and by acting as a tamper-detection mechanism that finds bad scripts, it also meets 11.6.1.

When you use Shopping Cart Monitor, you’re not just safeguarding your site, you’re getting one step closer to completing your PCI compliance.

No dev team required, just your URL

Shopping Cart Monitor is a cloud-based, code-free tool, meaning:

  • No downloads
  • No software installation
  • No software integration
  • No website configurations

Our agentless solution doesn’t involve your web development team, which a code-based solution would. And since you're not installing an agent, it can't be tampered with or subverted, greatly improving your security.

Capability / Threat Protected
What Is It? 
How Shopping Cart Monitor Helps You
PCI DSS Requirement 6.4.3
A mandate requiring merchants to inventory, authorize, and justify all JavaScript running on payment pages.
Shopping Cart Monitor automates your audit prep by automatically building and updating your required script inventory, creating a seamless, exportable log you can hand directly to your QSA.
PCI DSS Requirement 11.6.1
A mandate requiring a tamper-detection mechanism to flag unauthorized changes to payment pages at least once every seven days.
Shopping Cart Monitor satisfies this control entirely by running monitoring your checkout pages and instantly alerting your team to any unauthorized code or header modifications.
Magecart & Digital Skimming Defense
A stealthy cyberattack where hackers inject invisible, malicious code into checkout fields to siphon credit card data in real-time.
Shopping Cart Monitor stops client-side data theft by detecting hidden, malicious scripts executing in the customer's browser. This safeguards your revenue and brand reputation.
Automated JavaScript Inventory (PCI 6.4.3)
A complete, centralized dashboard listing every known, authorized, and third-party script operating on an ecommerce checkout.
Shopping Cart Monitor eliminates security blind spots by discovering and logging all active scripts, giving you visibility into third-party code risks.
Tamper-Detection Alerts
Automated notifications triggered when a security system detects unexpected modifications to website code or HTTP headers.
Shopping Cart Monitor provides 24/7 peace of mind by instantly sending alerts the moment a browser-level anomaly is detected, enabling rapid incident response before customer data is exposed.
Agentless Integration
A monitoring model that evaluates website integrity externally, requiring zero software downloads or inline code changes.
Shopping Cart Monitor protects your checkout speed and budget because it monitors your site from the outside. It deploys in minutes with zero developer hours and zero risk of breaking your checkout functionality.

See how we've helped our clients succeed

When you succeed, we succeed. That's why we pay such close attention to detail and provide award-winning support. Let's work together!

TESTIMONIALS

The relevance of ensuring proper ecommerce website security and protecting card holder data continues to be paramount for our organization, and we could not manage this process better without the reporting tools and excellent technical expertise provided by SecurityMetrics.

Jason Drake
Premiere Sports Travel

SecurityMetrics is an integral part of the team in our PCI program. We depend on the assessors to make sure that we stay on the compliance track. They do it with developing relationships across campus, discussing upcoming projects or application changes, and being available to us for consulting. They are knowledgeable, helpful and help us keep the campus engaged by their friendly demeanors.

Robbyn Lennon
University of Arizona

We have been customers of SecurityMetrics for about eight years. We are so impressed with the patient and professional way that their staff treats customers. They do not hurry, seem tired, act annoyed or too busy to work with their customers. Every person I spoke to was great!

Naomi Christman
The ProImmune Co, LLC

SecurityMetrics is the most retail friendly solution. At the small business level, frequently the person that has to interface with the tool is an owner or someone who has financial responsibility, but they may not necessary be technically savvy with using online tools. We believe SecurityMetrics meets that need better than anyone else we've seen.

Steve Methvin
Bozzutos

SecurityMetrics' Pen Testing has definitely helped us improve our network security in ways I could have never imagined. You just don't know what you don't know. I am absolutely confident in their team's abilities and my experience has led me trust them implicitly as a security partner. Their depth of understanding is impressive, and their professionalism is unmatched.

Morgan Leppink
Internet Ticketing Systems

We’ve been using SecurityMetrics for our onsite PCI audits for more than 10 years now. We have continued to come back and return to SecurityMetrics due to the value that has been supplied by them. SecurityMetrics has been around long enough now and they’ve been one of the top providers when it comes to PCI compliance, that I know they’re in it for the long haul.

Dawn Martinez
SVP, NewTek Merchant Solutions

Ecommerce Security FAQs

What is a payment page?

A web-based user interface containing one or more form elements intended to capture account data from a consumer or submit captured account data.  

Payment pages take many forms:

  • A web page contained within an application that collects and processes card data
  • A web page that redirects to a 3rd party payment page hosted on their domain
  • A web page that displays a 3rd party payment page within an inline element(s) like an iFrame

What is PCI DSS Requirement 6.4.3?

To reduce the possibility of malicious scripts making it onto payment pages, organizations need an inventory of all the known good scripts used on payment pages.

This inventory must be documented and tracked to ensure that all the scripts used are authorized, and that the integrity has been validated.

What is PCI DSS Requirement 11.6.1?

This requirement includes implementing a change and tamper-detection mechanism for any payment or referring pages (a referring page is one that uses an iFrame to display a 3rd party payment page). This requirement is a direct result of the increase in ecommerce skimming compromises seen on payment/referring pages in recent years.

A change and tamper-detection mechanism is deployed as follows:

  • To alert personnel to unauthorized modification (including indicators of compromise, changes, additions, and deletions) to the HTTP headers and the contents of payment pages as received by the consumer browser.
  • The mechanism is configured to evaluate the received HTTP header and payment page.  
  • The mechanism functions are performed as follows:
    • At least once every seven days  
      OR
    • Periodically (at the frequency defined in the entity’s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1).

Resources

The following are related resources that we have prepared for you. Find more answers to your questions in our Learning Center.

download
Shopping Cart Monitor
Data Sheet
download
Shopping Cart Inspect
Data Sheet
play_arrow
A Buyer’s Guide to PCI DSS 6.4.3 and 11.6.1
Podcast
newsmode
Ecommerce Security Trends
Infographic

Advance your ecommerce security with Shopping Cart Monitor

verified_user
Adhere to PCI v4.0.1
Fulfill both the 11.6.1 detection and scanning requirements and catalog analyze your scripts to also comply with requirement 6.4.3
person_check
Get expert remediation advice
Enjoy the option to get detailed guidance of what threats or compromises mean and how you can remediate them. No need to feel in the dark about how to secure your company.
moving
Easy implementation
Monitor is easy to use. It does not require setup or modifications to your existing website.
docs
Receive an organized list
Stay organized by reviewing a segmented list of your unresolved, ignored, and resolved threat indicators using the Monitor toolset.

newsmode
Protect your company’s image
Monitor adds validation beyond what a VA Scan, WAF, or FIM product can provide you. Monitor uses SecurityMetrics patented WIM technology to protect your company’s brand and customer trust.

Recognition for Outstanding Work

SecurityMetrics has worked hard over the years to provide outstanding products and services. Here are some of the awards the team has won.

The Golden Bridge Award 2020 Gold logo
Cybersecurity Excellence Award Winner 2023 Logo

Need to fulfill PCI Req. 6.4.3 and 11.6.1?

request a quote
Stay up to date
Subscribe to our blog.
Subscribe Now
Data Security
Vulnerability ScanningPenetration TestingSecurity TrainingPANscan®SecurityMetrics VisionSecurityMetrics MobileCIS Controls AssessmentConsultingResellerForensic/Incident ResponseData and Network SecurityData Security AcademyWebpage Integrity Monitoring (WIM)Shopping Cart InspectShopping Cart Monitor (PCI 6.4.3 & 11.6.1)SecurityMetrics Pulse
Compliance
GDPR CompliancePCI CompliancePCI DSS AuditPCI Level 4 ProgramPA-DSS/SSF AuditP2PE AuditPIN Security AssessmentPCI PoliciesPCI TrainingHIPAA ComplianceHIPAA PoliciesHIPAA TrainingHealth Network ProgramHITRUST
CMMC Compliance
Company Info
About UsBlogGlossaryMedia RelationsCareersTerms of UsePrivacyAbuseDo Not Sell My Information
Contact
Contact UsReport a Vulnerability
SecurityMetrics podcast logoLinkedIn logoFacebook logo
© 2026 SecurityMetrics, Inc. All rights reserved.
Privacy PolicyTerms and Conditions
Your IP Address is:
YouTube logoSecurityMetrics podcast logoLinkedIn logoFacebook logo
Subscribe to our blog
Subscribe Now
SecurityMetrics podcast logoLinkedIn logoFacebook logo
© 2001–2026 SecurityMetrics, Inc.
All rights reserved.
Privacy Policy
|
Terms and Conditions
|
About us