Act Now: New PCI DSS v4.0 Requirements Address Browser-Based Attacks

Attention online retailers and e-commerce vendors: When it comes to protecting client-side data and online payments against digital skimming and Magecart attacks, there’s a new sheriff in town.

In March of 2022, the Payment Card Industry (PCI) Security Standards Council released a revised version of its Data Security Standard, PCI DSS v4.0, which delineates the minimum security requirements that merchants must meet when they store, process, and transmit cardholder data. The revised requirements include a number of enhancements to ensure safe and secure online transactions to protect consumers, businesses, and card issuers during online commercial transactions.

The new requirements focus on the need to monitor and manage browser-based, third-party JavaScript libraries that are incorporated into e-commerce websites to provide out-of-the-box functionality such as payment processing iFrames, chatbots, advertising, social sharing buttons, and tracking scripts. While these JavaScript libraries help businesses speed up website development, they also open a wide threat vector for cybercriminals, as these scripts can be easily compromised via digital skimming and Magecart attacks to steal credentials, credit card information, and other PII.

While these breaches are clearly detrimental to the consumers who are defrauded, they are also bad for your business, as they can result in compliance violations, loss of revenue, decline in share price, hostile reviews in social media, and damaged brand equity.   

Though compliance with the new PCI DSS 4.0 requirements isn’t mandated until 2025, don’t wait! The types of attacks the requirements are addressing are happening today. Now is the time to protect your business reputation and your customers from attacks and fraud by enacting the enhanced protections as soon as possible.

What are the dangers of client-side attacks?

Not too long ago, commercial web applications were built as a monolithic piece of code served from an on-premises web server. However, today’s modern web applications are very different, and are often designed by stringing together JavaScript libraries from third parties, with much of the processing taking place client-side, in the consumer’s browser. It is estimated that 70%-80% of a typical web page is comprised of third-party libraries, and some of those scripts contain code from another set of third-party scripts. This long chain of code dependencies means that businesses don’t have much visibility or control of the code that is actually running on their websites.

Threat actors realize that because of the scope and scale of these nth-party dependencies, organizations struggle to properly manage, track, and secure the code that runs in their environment, and cannot even detect when code has changed or is exploited. This lack of visibility presents an opening for cybercriminals to inject malicious scripts into a legitimate web page or web application code and launch attacks to intercept, manipulate, and hijack user sessions. They are then able to skim personal data and payment information, take control and deface websites, present fake content, create new forms or alter legitimate forms—all of which can lay the ground for fraud and account takeover.

What PCI DSS v4.0 requires

The revised standard specifically identifies enhancements to client-side web security as critical for any business accepting online payments. The standard mandates that all payment page scripts that are loaded and executed in the consumer’s browser will require comprehensive management. Specifically, the new standard 6.4.3 requires e-commerce vendors to implement:

• A method to confirm that each script is authorized
• A method to assure the integrity of each script
• An inventory of all scripts with written justification as to why each is necessary

The new standard requires that merchants examine their policies and procedures to verify that processes are defined for managing all payment page scripts that are loaded and executed in the consumer’s browser. They must also interview responsible personnel and examine inventory records and system configurations to verify that all payment page scripts that are loaded and executed in the consumer’s browser are managed in accordance with all elements specified in this requirement.

In addition, section 11.6 of the revised standard requires that unauthorized changes on payment pages are detected and responded to. This requires a change- and tamper-detection mechanism that alerts personnel to unauthorized modification to the HTTP headers and the contents of payment pages as received by the consumer browser. The configuration settings must be examined at least once every seven days or at the frequency defined in the organization’s risk analysis assessment.

Complying with these requirements via manual or legacy solutions is costly and resource intensive. Because payment form scripts run on the client side, merchants have little visibility into their behavior, making it easy for malicious code to evade detection. In addition, merchants have little control over third-party code, such as the dynamic JavaScript libraries that operate web page features like payment processors, cookie consent forms, chatbots, or ad trackers, because they are frequently updated and changed, often without the merchant’s knowledge.

Existing detection techniques such as Sub-Resource Integrity (SRI), which conducts integrity checks to ensure scripts have not been tampered with, and Content Security Policy (CSP), which limit the locations browsers can load a script from and send data to, are no longer sufficient to protect today’s constantly changing web applications.

Help your business comply with PCI DSS v4.0, sooner than later

There’s no reason to wait until 2025 to comply with the security mandates required by PCI DSS v4.0. Act now to protect your business from attacks and your customers from fraud and account takeover.

F5 Distributed Cloud Client-Side Defense can immediately help you address the new PCI DSS v4.0 requirements and protect against Magecart, formjacking, digital skimming, PII harvesting attacks by automating the monitoring of web pages for suspicious code, generating actionable alerts, and stopping data exfiltration immediately with one-click mitigation.

For more information on how you can protect your customers’ privacy and your business from compliance violations while maintaining consumer trust and brand reputation,  read this solution overview or watch this product demo.