ScriptPatrol is opening up. Continuous monitoring of the JavaScript running on your checkout, login, and admin pages — the layer your firewall and server can't see — is free during our open beta. No credit card, no sales call, no trial that quietly turns into an invoice. This post explains why client-side monitoring matters, what good looks like, and how to switch it on for your store in a few minutes.
The problem nobody can see
A modern checkout page runs code from many places: your platform, analytics, tag managers, payment widgets, A/B testing, chat, and third-party libraries loaded from CDNs. Any one of those scripts can read what a customer types into a payment form. When an attacker compromises a single third-party script — the technique known as Magecart or web skimming — they don't breach your server at all. They quietly add a few lines of JavaScript that copy card data as it's entered. The page looks completely normal. Customers notice nothing. Merchants typically find out weeks later, from their acquirer.
These attacks remain one of the most common causes of card-data loss in e-commerce precisely because the change is invisible to the naked eye and doesn't trip traditional server security. The only reliable way to catch it is to know exactly which scripts belong on a payment page and to be told the moment that set changes.
Where PCI DSS fits in
PCI DSS 4.0 describes two controls that map exactly to client-side monitoring:
- Requirement 6.4.3 — maintain an inventory of every script on payment pages, with justification and a record of who authorized each one.
- Requirement 11.6.1 — run a change- and tamper-detection mechanism that alerts your team when scripts or security headers on payment pages are modified.
These apply to merchants who file SAQ A-EP or SAQ D. Most small e-shops use a hosted or redirect payment page and file SAQ A, which since March 31, 2025 no longer requires 6.4.3 or 11.6.1. Either way, the underlying control is just good hygiene: it is the difference between discovering a skimmer in minutes and discovering it in a breach notification. For a deeper walkthrough of who these requirements apply to, see our PCI DSS script requirements explainer.
What “good” looks like
You don't need a security team to meet these requirements, but you do need a few things to be true on an ongoing basis:
- A current, dated inventory of every script on each payment and checkout page.
- Integrity verification so a changed script is detected, not just a changed filename.
- An alert the same day a script or security header changes — not weeks later.
- A timestamped history you can export as evidence without assembling it by hand.
- Coverage of the pages that actually matter: checkout, payment, cart, login and admin.
Doing this by hand — spreadsheets of script hashes, manual diffs, screenshots for the auditor — is slow and tends to lapse exactly when it matters. That is the gap ScriptPatrol exists to close, and during open beta it does it for free.
Free during open beta
Every account in the open beta gets the full product at no cost — no credit card, no expiring trial:
- Automated daily scanning of your checkout, login, and admin pages
- Complete script inventory with SHA-256 integrity verification
- Change detection with email and Slack alerts
- A+ to F Security Score, plus exportable PDF reports and a timestamped audit trail
- No installation — monitoring runs externally, zero impact on your site
Who should turn this on now
If customers enter card or login details on a page on your domain — even when the actual processing happens inside a hosted field or iframe — that page is worth watching, because a compromised script there can still read what they type. That includes most stores on WooCommerce, PrestaShop, Magento 2, BigCommerce, OpenCart and Shoptet, as well as custom checkouts. If you cannot today produce a current list of the scripts on your checkout page, the free beta is the fastest way to fix that.
Open beta means we are still polishing and adding features, and we genuinely want feedback. It does not mean limited monitoring — the protection and the reporting are real and running today.
Get started in a few minutes
Create a free account, add your store's domain, and the relevant payment and checkout pages are found and put under monitoring — no code changes and nothing to install on your site. Within a day you have your first inventory and a baseline to alert against.
Payment-page skimming isn't a rare, exotic threat — it is one of the most common ways card data leaks from e-commerce, and it runs in a layer your other defenses never see. While monitoring it is free, there is little reason not to.