The Payment Card Industry (PCI) Data Security Standard (DSS) is a well-known general data security standard that is applicable to all organizations that store, process, or transmit payment card data. It was first released in 2006 by the Payment Card Industry (PCI) Security Standards Council (SSC), a joint initiative of the card brands Visa, Mastercard, American Express, Discover, and JCB.
The latest version of PCI DSS – version 4.0 – was released in March 2022 and contains 64 new requirements that organizations seeking compliance must fulfill. Two of these new requirements are focused on the integrity of pages where payment is taken on an e-commerce website and aim to stop e-commerce skimming (Magecart) attacks.
1. What are the two new requirements to prevent and detect e-commerce skimming attacks?
1- Requirement 6.4.3 (Preventative)
2 - Requirement 11.6.1 (Detective)
The second new requirement aims to detect tampering or unauthorized changes to the payment page which can be indicative of a skimming-type attack. In addition to detecting changes, the requirement demands that an alert is generated when such changes are detected. There is no requirement to block changes or malicious activity, just to raise an alert.
2. How can E-commerce websites meet the new requirements?
To meet these two new requirements, e-commerce companies must focus on:
- Managing the risk associated with each script: Where does it come from? What does it do?
3. The business impact of version 4.0 - Why should companies worry now?
Any organization that wants to accept a transaction with a payment card issued by a PCI SSC participating card brand is required to sign a contract that will contain references to the card brand’s rules which will specify that:
- The organization has to comply with PCI DSS;
- The organization has to make sure that all of their third-party service providers that can affect the security of cardholder data comply with PCI DSS.
The latest version of PCI DSS was released in March 2022 and will be replacing version 3.2.1. These two new requirements are labeled as “a best practice until 31 March 2025” meaning that they will not be evaluated in a formal PCI DSS assessment until “ after 31st March 2025.
Although it seems there is still a long way to go until then, it’s highly recommended that companies do not delay the implementation of the new security requirements as these E-commerce skimming attacks continue to be increasingly popular today, and all e-commerce websites are at risk.