My build to be compliance with 6.4.3 and 11.6.1

Hi there,

Recently I created this subject: https://www.reddit.com/r/pcicompliance/comments/1ix4gfj/how_to_be_compliance_with_1161_a_change_and/

You recommended a lot of different programs, but unfortunately, most of them didn't work for us, because our budget is ~$1000. So, I have started thinking of to compliance as much as we can cheap with these requirement and I need your feedback how I can improve or what gaps I have.

6.4.3 All payment page scripts that are loaded and executed in the consumer’s browser are managed as follows:

  • A method is implemented to confirm that each script is authorized.
    • CSP policy in place.
  • A method is implemented to ensure the integrity of each script.
    • Wazuh or OSSEC (other FIM) monitoring local scripts.
    • However, third-party scripts are not protected. There is a security feature called SRI (Subresource Integrity), but we’re unsure how to apply it to third-party scripts. If the vendor updates the script, the hash will change, causing a mismatch with our hardcoded hash. This could break our payment page, leading to a significant business impact.
      • Any suggestion on how to secure 3-party?
      • Should we use SRI also for local scripts, if we monitor them via FIM?
  • An inventory of all scripts is maintained with written justification as to why each is necessary.
    • We will do it manually, it's not so hard for us.

11.6.1 A change- and tamper-detection mechanism is deployed as follows:

  • To alert personnel to unauthorized modification (including indicators of compromise, changes, additions, and deletions) to the HTTP headers and the contents of payment pages as received by the consumer browser.
    • CSP policy is configured to report and there are free solutions.
  • The mechanism is configured to evaluate the received HTTP header and payment page.
    • CSP policy will cover it too.

Basically, we have only CSP policy for 11.6.1, but from my understanding, it's not enough to be compliance with 11.6.1. Do I understand correctly? I mean CSP can't handle all attacks on client-side.