Why is this research important now?
Regulations and standards that aim to protect Personally Identifiable Information (PII) are becoming increasingly prominent, especially regarding the protection of payment pages.
The Payment Card Industry (PCI) Data Security Standard (DSS) emerges as a highlight standard for all organizations that store, process, or transmit payment card data, and its latest version, 4.0, was released in March 2022. It has 64 new requirements that organizations seeking compliance must fulfill. In an effort to curtail skimming (Magecart) attacks, two of these requirements focus on the integrity of pages where payment is taken. These are:
- Requirement 11.6.1 requires changes to scripts and page headers to be detected on payment pages, and the appropriate alerts generated.
The main goal of the research is to highlight the importance of having visibility and control over the scripts that are present on the payment pages, especially on e-commerce websites. Popular e-commerce sites in North America and Europe were selected for analysis in order to understand the scope of the problem and potential points of failure. We looked at the number of scripts on the payment pages controlled by third parties. Our findings indicate that the possible attack surface is huge unless these sites find a way to identify, monitor and control the behavior of third-party Scripts.
For these reports, 20 highly-trafficked e-commerce websites with more than $50M in revenue were selected. They are from diverse industries, including health, personal care, retail, groceries, home goods, consumer electronics, and airlines. The data collected focused on the payment pages. All data was collected using Jscrambler’s Webpage Integrity, a holistic solution to detect and block, in real-time, malicious behavior on the client side of web applications.
- 60% of the analyzed websites have more than 10 different vendors on their payment pages.
- On average, 148 scripts are being loaded on the payment page; of these, 58% are third-party.
- One of the analyzed websites did not allow the retrieval of data.
- 80% of the analyzed websites have more than 10 different vendors on their payment pages.
- On average, 132 scripts are being loaded on the payment page, and from these, 97% are third-party.
- All websites allowed the retrieval of data.
Consider the potential damage if even one script is compromised - now multiply that by 100. Some of these e-commerce companies register hundreds of third-party scripts on their payment pages. We are witnessing a level of risk that demands action.
In general, it’s important for website owners to carefully consider the use of third-party scripts and to only include those that are necessary for the website to function properly. Implementing an automated client-side security solution will help in the process of continuously monitoring these “foreign” scripts. Such a solution can also help the website comply with mandatory or recommended regulations.
Prevention: what should be done?
Jscrambler’s Webpage Integrity (WPI) is a holistic solution to detect and block, in real-time, unauthorized behavior on the client side of web applications. It prevents leaking or scraping of sensitive data and protects against web supply chain attacks like Magecart. WPI also addresses both of the new requirements in PCI DSS version 4. Download these reports to get more insights.