Key points
• An inventory without owners and business justification does not satisfy the real intent of 6.4.3.
• Repository monitoring is not the same as monitoring what the browser receives.
• The response process is as important as the detection signal.
Mistake 1. Tracking only your own scripts
PCI DSS also refers to scripts from third and fourth parties. If the inventory covers only first-party assets, the risk map is incomplete from the start.
Mistake 2. Treating CSP as the entire answer
CSP is useful, but it does not provide a complete inventory, written business justification, authorization evidence, or detection of every unauthorized change. It is one control layer, not the whole program.
Mistake 3. Watching Git instead of the browser page
Requirement 11.6.1 is tied to HTTP headers and payment page content as received by the customer browser. Repository or CMS checks can miss CDN changes, tag manager behavior, edge-layer delivery changes, and runtime modifications.
Mistake 4. Missing an owner for each script
Without an owner, an inventory becomes a list of URLs. Auditors and security teams need to know who requested each script, why it is needed, and who approves changes.
Mistake 5. Not testing the operating process
Even a good signal is weak if nobody knows what happens after the alert. Production payment pages need response-time expectations, notification channels, procedures, and evidence that the team can triage false and real events.
Questions on this topic
Can repository monitoring replace payment page monitoring?
No. Repository monitoring can help, but it does not prove what the customer browser received after CDN, tag manager, third-party script, and runtime behavior are considered.