E-commerce skimming, also known as form-jacking or Magecart attacks, represents the majority of criminal attacks against payment card data. They are simple to do and are hidden from the merchant or retailer, and the cardholder. It is for this reason that the newest version of PCI DSS now contains requirements aimed at preventing and detecting these types of attacks.
In this blog post, let’s look at these attacks and the steps toward prevention.
Understanding the attack
The new requirements in PCI DSS
The Payment Card Industry (PCI) Data Security Standard (DSS) is the industry standard applicable to all organizations that store, process or transmit cardholder data or who can affect the security of cardholder data. It is managed by the Payment Card Industry Security Standards Council (PCI SSC) and enforced by the major card brands such as Visa and Mastercard.
The latest version of PCI DSS (v4.0) contains two new requirements to protect against, and to detect, these E-commerce skimming attacks.
The first of these requirements (6.4.3) aims to prevent these attacks by limiting and managing the attack surface by ensuring that organizations:
- Maintain an inventory of every script on the payment page;
- Ensure each script is approved, and that the reason for the script’s use is documented;
- Ensure the integrity of every script - so that the script loaded into the consumer’s browser hasn’t been tampered with or altered.
The second requirement (11.6.1) requires organizations to detect unauthorized modifications (i.e., tampering) of any scripts, and then to produce an alert, so the malicious script can be reviewed by the website owner.
Jscrambler’s client-side security platform enables compliance with both of the new PCI DSS requirements by providing a real-time inventory of scripts, validating the integrity of the script and providing an alert when a script has been tampered with.
There are, of course, other ways of meeting these requirements such as the use of a Content Security Policy (CSP) to define what scripts can be loaded and Subresource Integrity (SRI), which can validate the integrity of every script. However, practically these solutions are hard to implement and are both difficult and resource-intensive to maintain.
This new version of PCI DSS becomes mandatory from 1st April 2024, however, like many of the new requirements in the standard, the ones designed to defeat E-commerce skimming attacks only become mandatory after 1st April 2025. Until that date, they are described as a best practice.
The regulator’s view
Two high-profile E-commerce skimming attacks have resulted in regulatory action under the GDPR because payment card data is personal data. In the case of British Airways, the skimming code was added to a library located on an internal web server, and in the case of Ticketmaster, the third-party provider of a real-time chat application was targeted by the criminals.
In both cases, the failure of the company to put in place appropriate technical measures to prevent such skimming attacks was found to be a breach of the GDPR’s security principle by the UK’s Information Commissioner’s Office who has commented on “the clear risk of third party scripts within a payment page”.
Although the new requirements in PCI DSS are not mandatory until April 2025, they are indicated as a “best practice” until this date. However regulators are aware of the danger of skimming attacks, and organizations should consider whether, given the state of the art in protecting against such attacks by using products such as Jscrambler’s client-side security platform, implementing such protections in advance of the PCI DSS deadline would be beneficial to meet the test of “appropriateness” in GDPR.
- What’s that script for?
- Where is it being loaded from?
- How much do I trust it?
Take the first step towards client-side security and compliance today by requesting a free website inventory report!