Q&A with Elavon EU Andrew McCarroll: Mastering PCI DSS 6.4.3 and 11.6.1 to Combat Web Skimming

1. Andrew, how does your role at Elavon EU shape payment security strategies to help merchants meet PCI DSS requirements 6.4.3 and 11.6.1?

My role at Elavon involves designing security frameworks that ensure merchants align with PCI DSS 6.4.3 and 11.6.1, safeguarding payment environments, and enabling our merchants to have direct access to best-in-class solutions with partners like Jscrambler. My goal is to help merchants become compliant with minimal disruption to their daily activities. 

As part of this process, I collaborate with teams to provide tools and guidance, helping merchants navigate complex compliance requirements efficiently across all aspects of the PCI process. I also drive strategies to address emerging threats like web skimming, ensuring merchants stay ahead of risks and deadlines.

2. What are the biggest hurdles merchants face in complying with PCI DSS 6.4.3 and 11.6.1, particularly in preventing web skimming attacks?

Merchants struggle with implementing script management and monitoring required by 6.4.3 and 11.6.1 due to limited resources and technical expertise. With the update to PCI 4 many merchants are unaware of changes they may be affected by or are hesitant to kick over that rock and find they have additional requirements. I strive to offer solutions, not problems, to our merchants to help them comply with best practices around data security. 

We’ve also seen a surge in web skimming attacks that have overwhelmed merchants lacking real-time detection capabilities. Small to mid-sized merchants often lack the budget or staff to maintain continuous compliance and threat monitoring.

3. Why is anti-skimming protection a critical priority for merchants today, given the surge in web skimming attacks?

The increase in Magecart attacks targeting payment pages risks data breaches and financial losses for our merchant customers. In addition, PCI DSS 6.4.3 and 11.6.1, effective as of March 31, 2025, now require robust anti-skimming measures to avoid penalties. Protecting payment pages from skimming ensures customer confidence, which is critical for merchants’ reputation and revenue. This will help our merchants avoid costly data breaches and subsequent scheme fines. 

4. How essential is client-side protection for securing payment pages against web skimming in a merchant’s overall security strategy?

Client-side protection is vital to monitoring and blocking malicious scripts on payment pages, where skimming attacks occur. It assists the merchant by taking another aspect of security out of their scope and is managed by third-party professionals. 

It also strengthens overall security by addressing vulnerabilities that server-side measures alone cannot cover. An effective client-side protection implementation will ensure compliance with PCI DSS 6.4.3, safeguarding merchants against non-compliance risks.

5. How does the Elavon EU-Jscrambler partnership empower over 400 merchants to meet PCI DSS 6.4.3 and 11.6.1 requirements and combat escalating web skimming threats?

Elavon’s payment processing knowledge and Jscrambler’s client-side security solutions equip Elavon’s 400 merchants to tackle the surge in skimming attacks. We pride ourselves on offering our merchants bespoke solutions to their Data Security issues, regardless of the size of the merchant. We see PCI compliance as a collaboration with our merchants and partners that helps protect them and ourselves from the ever-evolving threat to card security. 

The partnership with Jscrambler offers practical, scalable strategies to ensure merchants meet PCI DSS deadlines and secure payment pages effectively.

We have a lot more to share about our partnership. It’s important that our merchants attend the Mastering PCI DSS Requirements 6.4.3 and 11.6.1: Practical Solutions for Merchant Compliance webinar on May 20, 2025, to see how our partnership supports merchants on their compliance journey.