The Payment Card Industry (PCI) Data Security Standard (DSS) is a well-known general data security standard that is applicable to all organizations that store, process, or transmit payment card data. It was first released in 2006 by the Payment Card Industry (PCI) Security Standards Council (SSC), a joint initiative of the card brands Visa, Mastercard, American Express, Discover, and JCB.
The latest version of PCI DSS – version 4.0 – was released in March 2022 and contains 64 new requirements that organizations seeking compliance must fulfill. Two of these new requirements are focused on the integrity of pages where payment is taken on an e-commerce website and aim to stop e-commerce skimming (Magecart) attacks.
1. What are the two new requirements to prevent and detect e-commerce skimming attacks?
1- Requirement 6.4.3 (Preventative)
The first new requirement is designed to minimize the attack surface and manage all JavaScript present on the payment page by requiring an approval process and justification for each script added to the payment page. It is designed to ensure that all JavaScript included in the payment page is actively managed. Additionally, the requirement wants a way of validating the integrity of a script to be defined, to ensure that malicious scripts are not placed on the payment page.
2 - Requirement 11.6.1 (Detective)
The second new requirement aims to detect tampering or unauthorized changes to the payment page which can be indicative of a skimming-type attack. In addition to detecting changes, the requirement demands that an alert is generated when such changes are detected. There is no requirement to block changes or malicious activity, just to raise an alert.
2. How can E-commerce websites meet the new requirements?
To meet these two new requirements, e-commerce companies must focus on:
- Gaining visibility of the JavaScript that’s loaded into their webpages
- Managing the risk associated with each script: Where does it come from? What does it do?
- Having control of JavaScript, so that malicious scripts can be blocked or deactivated
3. The business impact of version 4.0 - Why should companies worry now?
Any organization that wants to accept a transaction with a payment card issued by a PCI SSC participating card brand is required to sign a contract that will contain references to the card brand’s rules which will specify that:
- The organization has to comply with PCI DSS;
- The organization has to make sure that all of their third-party service providers that can affect the security of cardholder data comply with PCI DSS.
The latest version of PCI DSS was released in March 2022 and will be replacing version 3.2.1. These two new requirements are labeled as “a best practice until 31 March 2025” meaning that they will not be evaluated in a formal PCI DSS assessment until “ after 31st March 2025.
Although it seems there is still a long way to go until then, it’s highly recommended that companies do not delay the implementation of the new security requirements as these E-commerce skimming attacks continue to be increasingly popular today, and all e-commerce websites are at risk.
It is imperative that merchants gain visibility, risk management, and control of JavaScript before the standard requires it in order to protect payment card data and guarantee compliance with the new PCI DSS requirements.
Jscrambler’s Solution
Jscrambler’s Solution allows companies to achieve compliance with the new requirements of PCI DSS v4.0 developed to prevent and detect e-commerce (e.g. Magecart) skimming attacks. It provides merchants with visibility, risk management, and control of all JavaScript running on their websites. The new requirements, which mandate that e-commerce businesses maintain a full inventory of every script on their payment page. Businesses are also expected to validate the integrity of every script to ensure that those loaded into the consumer’s browser haven’t been tampered with. Jscrambler goes one step further than the new requirements and can be configured to automatically block all attempts to skim cardholder data from e-commerce transactions.
