What PCI DSS is and which requirements touch the web layer
The Payment Card Industry Data Security Standard (PCI DSS) is the security standard that every organization handling payment card data must meet. It covers network security, access control, cardholder data environment segmentation, vulnerability management, written policies, and regular testing. Most of that scope reaches far beyond a website. A handful of requirements, though, land directly on how your public web pages and your payment flow are configured.
Requirement 4 asks you to protect cardholder data with strong cryptography whenever it travels over open, public networks. In practice that means a modern TLS version, strong cipher suites, and configuration that prevents data from ever being sent unencrypted. HSTS and the absence of mixed content both support that goal, and they are exactly the kind of transport configuration a web scanner can verify.
Requirement 6 asks you to develop and maintain secure systems. For a website that includes secure web configuration and security headers. It also includes the newer payment page script expectations in Requirement 6.4.3, which asks merchants to manage the scripts that load in the consumer browser on payment pages, confirm each script is authorized, and assure its integrity. Content Security Policy and Subresource Integrity are central techniques for meeting that intent.
Requirement 11 asks you to regularly test your security systems and processes, including detecting unauthorized changes. Quarterly external scanning by an Approved Scanning Vendor and penetration testing live here. Daily configuration monitoring does not replace those activities, although it does give you continuous evidence that your web and payment page configuration has not drifted between formal tests.
PCI DSS requirement to SiteSecurityScore mapping
The table below is honest about coverage. Green means SiteSecurityScore directly checks and evidences that item. Amber means it provides partial supporting evidence that helps but does not satisfy the requirement on its own. A red cross means it is outside what this tool does, and you will need other controls, an assessor, or an Approved Scanning Vendor.
Requirement 4: Protect cardholder data in transit
| Requirement item | SiteSecurityScore |
|---|---|
| Strong TLS protocol versions in use | |
| Strong cipher suites for data in transit | |
| HSTS to enforce encrypted transmission | |
| Mixed content detection on secure pages |
Requirement 6: Develop and maintain secure systems
| Requirement item | SiteSecurityScore |
|---|---|
| Security headers configuration review | |
| Content Security Policy for payment pages | |
| Subresource Integrity (SRI) on external scripts | Partial |
| 6.4.3 manage and inventory payment page scripts | Partial |
Requirement 11: Regularly test security systems
| Requirement item | SiteSecurityScore |
|---|---|
| Ongoing change detection via daily monitoring | Partial |
| Alerts on header, TLS, CSP, and script changes | Partial |
| ASV external vulnerability scan | |
| Internal and external penetration testing |
Broader PCI DSS scope
| Requirement item | SiteSecurityScore |
|---|---|
| Cardholder data environment segmentation | |
| Access control and authentication policy | |
| Written security policies and procedures | |
| Network firewall and configuration standards |
SiteSecurityScore is not an ASV and is not a full PCI scan
SiteSecurityScore is not an Approved Scanning Vendor. It does not perform the quarterly external vulnerability scan that PCI DSS Requirement 11 requires, and it cannot produce a passing ASV scan report. Only a PCI SSC Approved Scanning Vendor can deliver that for your assessment.
We want to be precise about what this tool is. PCI DSS Requirement 11 calls for external vulnerability scans performed by a PCI SSC Approved Scanning Vendor, and those scans probe for known vulnerabilities across your in scope external footprint. SiteSecurityScore does not do that, and using it does not satisfy that requirement.
SiteSecurityScore also does not make you PCI compliant. Compliance is determined by your assessor or by your Self Assessment Questionnaire across the full standard, including cardholder data environment segmentation, access control, written policies, and network configuration that no web scanner can evaluate. What SiteSecurityScore does is help you gather clean, specific evidence for the narrow set of web and transport configuration items that several requirements ask you to demonstrate.
How SiteSecurityScore helps your PCI evidence
Transmission encryption checks
Verify the TLS version, cipher strength, and HSTS that Requirement 4 expects, plus mixed content detection so cardholder data is never sent over an unencrypted channel.
Secure header configuration
Review Content Security Policy, HSTS, X-Frame-Options, and the rest of your security headers as supporting evidence for the secure system configuration in Requirement 6.
Payment page script visibility
Enumerate external scripts loaded by a page and flag whether Subresource Integrity is present, which supports the script inventory and integrity intent of Requirement 6.4.3.
Exportable PDF reports
Attach a point-in-time PDF report of your configuration to an audit file so an assessor can see the exact state of headers, TLS, and scripts on a given date.
REST API for your pipeline
Run configuration checks automatically in CI so a regression in TLS, headers, or CSP on a payment page is caught before it reaches production.
Letter grade and specific fixes
Get a single grade plus copy and paste remediation for each gap, which turns a scan into a concrete worklist for your secure configuration tasks.
Ongoing change detection between formal tests
A single scan is a point in time. Requirement 11 cares about detecting unauthorized changes, including changes to payment page scripts and headers. Daily monitoring gives you continuous evidence that your configuration has not drifted, which complements, but does not replace, ASV scanning and penetration testing.
SiteSecurityScore daily monitoring rescans your site every day and emails you when a security header, TLS setting, Content Security Policy, or external script changes. For a payment page that is a useful tripwire, because an unexpected new third party script or a weakened header shows up in your inbox rather than in an incident report months later.
Automated daily rescans
Each monitored site is scanned once per day across headers, TLS, CSP, cookies, and external scripts.
Alerts on configuration drift
Get an email when a header is removed, a TLS setting weakens, or a new external script appears on a payment page.
Evidence your web and transport configuration
Run a free scan and get a graded report of your TLS, HSTS, security headers, Content Security Policy, and external script integrity. It is a fast way to gather supporting evidence for the web focused parts of PCI DSS. It is not an ASV scan and does not make you PCI compliant.
Start scanningFrequently asked questions
Is SiteSecurityScore a PCI ASV scan?
No. SiteSecurityScore is not an Approved Scanning Vendor (ASV) and it does not perform an ASV scan. PCI DSS Requirement 11 calls for quarterly external vulnerability scans run by a PCI SSC Approved Scanning Vendor, and only an authorized ASV can deliver a passing ASV scan report for your assessment. SiteSecurityScore is a focused web security scanner that helps you evidence specific technical configuration requirements such as transmission encryption and secure web headers, but it is not a substitute for an ASV scan.
Does SiteSecurityScore make my site PCI DSS compliant?
No. No single tool makes you PCI DSS compliant. PCI DSS spans network security, access control, cardholder data environment segmentation, written policies, vulnerability management, and more. SiteSecurityScore helps you evidence a focused subset of the technical web and transport configuration requirements, such as strong cryptography in transit and secure web headers. Compliance is determined by your assessor or Self Assessment Questionnaire, not by a scanner.
Which PCI DSS requirements does SiteSecurityScore help with?
SiteSecurityScore is most useful for Requirement 4, which covers protecting cardholder data with strong cryptography during transmission over open networks, and Requirement 6, which covers developing and maintaining secure systems. It checks TLS versions, cipher strength, and HSTS for transmission encryption, and it checks security headers, Content Security Policy, and Subresource Integrity on external scripts to support secure web configuration and the payment page script management expectations in Requirement 6.4.3. It also supports Requirement 11 change detection through daily monitoring.
How does SiteSecurityScore help with PCI DSS 6.4.3 payment page scripts?
Requirement 6.4.3 asks merchants to manage and inventory the scripts that load in the consumer browser on payment pages, confirm each script is authorized, and assure its integrity. SiteSecurityScore helps here partially. It enumerates external scripts loaded by a page, flags whether Subresource Integrity (SRI) is present on those external scripts, and reviews the Content Security Policy that governs which script sources a payment page can load. This is supporting evidence for your script inventory and integrity controls, not a complete 6.4.3 solution.
Can SiteSecurityScore monitoring support PCI DSS Requirement 11 change detection?
Partially. Requirement 11 includes detecting unauthorized changes, including changes to payment page scripts and headers. SiteSecurityScore daily monitoring rescans your site every day and emails you when a security header, TLS setting, Content Security Policy, or external script changes. That change detection is useful evidence of ongoing review, but it does not replace the broader vulnerability scanning, penetration testing, and ASV scanning that Requirement 11 requires.
Is SiteSecurityScore free, and what evidence can I export?
SiteSecurityScore offers free website security scans covering security headers, TLS and SSL, DNS, cookies, CORS, security.txt, mixed content, and Subresource Integrity on external scripts. You get a letter grade with specific fixes. Paid plans add PDF reports you can attach to an audit file, a REST API for automated checks in your pipeline, daily monitoring with email alerts, a browser extension for authenticated pages, and an MCP connector. The PDF report is a convenient way to attach point-in-time configuration evidence to your assessment.