Marriott Vacations Worldwide is a global vacation company that offers vacation ownership, exchange, rental, and resort and property management, along with related businesses, products, and services. The company has a diverse portfolio that includes seven vacation ownership brands. It also includes exchange networks and membership programs, as well as management of other resorts and lodging properties.
Headquarters
Orlando, Florida, USA
Jscrambler’s client
Since 2024
Industry
Hospitality
Use cases
PCI DSS v4 compliance
As a large, digitally driven organization operating in a highly regulated environment, Marriott Vacations Worldwide faces increasing pressure to protect customer data, especially credit card data, across complex web environments, particularly in the browser. Like many enterprise organizations, MVW relies on numerous third-party scripts and marketing tags to deliver personalized experiences and optimize performance. However, this growing client-side ecosystem introduces visibility and control challenges, such as shadow IT and unvetted third-party vendor scripts introduced by marketing and sales teams.
The scale of the scope challenge to discover all the payment pages became especially clear during their internal discovery work: “We did a complete inventory of our web-based payment pages that accept credit cards. That was not an easy task to accomplish. Full disclosure, it took 9 months here for us to discover every single web-based page where we accept credit cards. That kind of just talks to the complexity of the organization.” The core challenge wasn’t simply tracking scripts; it was maintaining continuous visibility and control across a large, evolving digital footprint with a small team managing compliance for multiple entities simultaneously.
“Through the entire process and even up to today, I found the transparency, the ease in communication with Jscrambler, and honesty through the whole thing extremely valuable. I’m very happy with the selection of Jscrambler.”
TJ Goldsmith
PCI Compliance Program Director
The MVW team was aware of PCI DSS requirements 6.4.3 and 11.6.1 early on and used the on-ramp period to identify a solution. MVW’s websites are highly dynamic, with marketing sites frequently updated, and marketing and sales teams often perform site refreshes outside of IT. The team needed a solution that directly met 6.4.3 and 11.6.1, which ruled out options like a CDN or a combination of CSP and SRI due to the required learning curve and manual effort.
After evaluating various approaches, MVW selected Jscrambler’s Webpage Integrity (WPI) product to meet the requirements 6.4.3 and 11.6.1 and improve third-party script control in its browser environment.
“We haven’t found anything else out there in the market today that provides all of the benefits from the length of time Jscrambler’s been at this to the ease of use of this solution, and directly meeting the PCI requirements.”
TJ Goldsmith, PCI Compliance Program Director at Marriott Vacations Worldwide
By automating client-side monitoring, the solution eliminated the need for manual oversight and significantly reduced operational burden. Its seamless integration with the SIEM provided effective visibility without generating excessive alerts. The intuitive UI also made it easy to manage approvals and push business justifications directly to stakeholders, streamlining governance across teams. TJ mentioned that the solution included what he called a “panic button” feature that allows certain third-party scripts to be instantly cut off from data access without impacting performance. Essentially, the Jscrambler platform provides granular control over third-party scripts, enabling MVW to restrict access to sensitive data while still allowing third-party services to function as intended.
TJ noted that, given the organization’s complexity, the journey was not easy. However, the Jscrambler team made the whole process smooth and pain-free: “Early on, it was a pleasure to work with Jscrambler. Jscrambler really stepped up for us. We have more than 15 unique codebases. It was difficult, but it worked out well for us.”
Top Jscrambler Features and Capabilities
Granular control over third-party scripts
Intuitive UI and minimal learning curve
Low-noise alerting
Marriott Vacations Worldwide achieved full compliance with PCI DSS v4 requirements 6.4.3 and 11.6.1 ahead of the enforcement deadline. As TJ shared, “We were 100% compliant before we needed to be.”
By implementing Jscrambler, Marriott Vacations Worldwide achieved:
Evidence of Compliance
Compliance with PCI DSS 6.4.3 & 11.6.1, ease of demonstrating/providing evidence of compliance
Visibility & Control
Enhanced visibility & control over all payment pages across all brands
Full Client-Side Protection
Platform leveraged by other internal teams outside of PCI Compliance
Improved Risk Posture
Improved risk posture through real-time script monitoring and header integrity validation
For Marriott Vacations Worldwide, client-side protection was not simply about checking a compliance box. It was about protecting 160 card data flows across six distinct entities, managing dynamic marketing environments, reducing operational burden, and preserving brand trust. With Jscrambler, MVW implemented a solution that did all that while keeping a lean compliance team efficient.
Related resources
