Attention online retailers and e-commerce vendors: When it comes to protecting client-side data and online payments against digital skimming and Magecart attacks, there’s a new sheriff in town.
In March of 2022, the Payment Card Industry (PCI) Security Standards Council released a revised version of its Data Security Standard, PCI DSS v4.0, which delineates the minimum security requirements that merchants must meet when they store, process, and transmit cardholder data. The revised requirements include a number of enhancements to ensure safe and secure online transactions to protect consumers, businesses, and card issuers during online commercial transactions.
While these breaches are clearly detrimental to the consumers who are defrauded, they are also bad for your business, as they can result in compliance violations, loss of revenue, decline in share price, hostile reviews in social media, and damaged brand equity.
Though compliance with the new PCI DSS 4.0 requirements isn’t mandated until 2025, don’t wait! The types of attacks the requirements are addressing are happening today. Now is the time to protect your business reputation and your customers from attacks and fraud by enacting the enhanced protections as soon as possible.
Threat actors realize that because of the scope and scale of these nth-party dependencies, organizations struggle to properly manage, track, and secure the code that runs in their environment, and cannot even detect when code has changed or is exploited. This lack of visibility presents an opening for cybercriminals to inject malicious scripts into a legitimate web page or web application code and launch attacks to intercept, manipulate, and hijack user sessions. They are then able to skim personal data and payment information, take control and deface websites, present fake content, create new forms or alter legitimate forms—all of which can lay the ground for fraud and account takeover.
The revised standard specifically identifies enhancements to client-side web security as critical for any business accepting online payments. The standard mandates that all payment page scripts that are loaded and executed in the consumer’s browser will require comprehensive management. Specifically, the new standard 6.4.3 requires e-commerce vendors to implement:
The new standard requires that merchants examine their policies and procedures to verify that processes are defined for managing all payment page scripts that are loaded and executed in the consumer’s browser. They must also interview responsible personnel and examine inventory records and system configurations to verify that all payment page scripts that are loaded and executed in the consumer’s browser are managed in accordance with all elements specified in this requirement.
In addition, section 11.6 of the revised standard requires that unauthorized changes on payment pages are detected and responded to. This requires a change- and tamper-detection mechanism that alerts personnel to unauthorized modification to the HTTP headers and the contents of payment pages as received by the consumer browser. The configuration settings must be examined at least once every seven days or at the frequency defined in the organization’s risk analysis assessment.
Existing detection techniques such as Sub-Resource Integrity (SRI), which conducts integrity checks to ensure scripts have not been tampered with, and Content Security Policy (CSP), which limit the locations browsers can load a script from and send data to, are no longer sufficient to protect today’s constantly changing web applications.
There’s no reason to wait until 2025 to comply with the security mandates required by PCI DSS v4.0. Act now to protect your business from attacks and your customers from fraud and account takeover.
F5 Distributed Cloud Client-Side Defense can immediately help you address the new PCI DSS v4.0 requirements and protect against Magecart, formjacking, digital skimming, PII harvesting attacks by automating the monitoring of web pages for suspicious code, generating actionable alerts, and stopping data exfiltration immediately with one-click mitigation.
For more information on how you can protect your customers’ privacy and your business from compliance violations while maintaining consumer trust and brand reputation, read this solution overview or watch this product demo.