PCI London 2023: Taming the Client-Side Security Frontier

“I don’t have full control and visibility over third-party scripts on my website" is the most common concern we heard from security and risk professionals at PCI London 2023.

The event’s theme, 'Unravelling PCI DSS 4.0: Making the Great Leap Forward', was spot-on, as many people we encountered wanted to understand how new requirements would impact their business. More detailed:

• Requirement 6.4.3 demands that entities manage the JavaScript on payment pages. All JavaScript must be detailed in an inventory, be necessary for the payment page, be approved, and have its integrity assured.
  

  
  

• Requirement 11.6.1 requires changes to scripts and page headers to be detected on payment pages, and the appropriate alerts generated.
  
  
  

Jscrambler's free PCI DSS 4.0 compliance tool helps Merchants achieve compliance with requirements 6.4.3 and 11.6.1 of PCD DSS v4.0 and QSAs to validate compliance.

Try the new PCI DSS JavaScript Compliance Tool.

Insight from InfoSec Leaders About Preparing for PCI DSS v4

A complete risk analysis of third-party JavaScript is essential to charting a path toward 4.0. But for most, this work can seem daunting.

Client-side security (or what happens in the user browser) has typically been a low priority and not understood. Our advice is to start with the fundamentals:

1. Identify all third-party JavaScripts running on your websites and web apps;
   
   

2. Understand what they are doing and why;
   
   

3. Determine which Scripts should be allowed to access data in forms on payment pages and stop ones that should not from doing so.

Why is client-side security important?

The client-side is essentially the Wild Wild West of cybersecurity, a mostly untamed frontier that presents a huge vista of risk.

While network and server security has experienced much progress over the last decade, there is a state of lawlessness associated with the user’s browser, even though organizations can be held responsible for data leakage.

A recent survey showed that 99% of security professionals reported their website uses at least one third-party script, and more than 50% believed there was some or lots of risk associated with it. Yet over 50% stated that the third-party scripts running on their web properties change four or more times every year, but only 34% of respondents said they can detect changes or updates.

This supports a recent study Jscrambler conducted of 20 highly trafficked e-commerce websites in the US. One site had 249 third-party scripts loaded on the payment page. Another had 118 third-party domains receiving data from the payment page.

It seems impossible to imagine a world where security teams would let third-party code libraries run amok on their servers. Yet that is precisely what happens on websites every day. The attack surface has silently moved from the confines of corporate infrastructure that InfoSec teams can control to the consumer browser.

It’s time to change that, whether PCI DSS v4 is a concern or not.

Requirements 6.4.3 and 11.6.1: Protecting sensitive data

Requirements 6.4.3 and 11.6.1 won’t be enforced until April 1, 2025, but data is being stolen every day. Lots of it.

A recent study showed that in Q3 2022, nearly 109 million accounts were breached (a 70% increase over the prior quarter), or 14 accounts every second. Consider how much sensitive data people enter into websites every day. It is time to stop the leakage, especially where payment data is a concern.

It can take at least two years to implement a solution that aligns with the new PCI DSSv4 standards. For many large enterprises, the timeline will look like this:

• 2023: Identify gaps and analyze risk, investigate vendor solutions;
  
  

• 2024: Get the budget and resources needed, implement a solution, and refine it;
  
  

• April 1, 2025: Be prepared to meet the new standards.

We suggest now is the time to start preventing skimming attacks and other accidental forms of data leakage through the browser, so that you are ready for 4.0, but just as importantly, start reducing your risk sooner rather than later.