Browser security is now mission-critical for any organization that processes payments online. This reality is a key element of the new Payment Card Industry Data Security Standard (PCI DSS) released in March of this year with full implementation required by 2025.
Driven by industry feedback, PCI DSS v4.0 strengthens protection of payment data with new controls designed to address the increasing sophistication of cyberattacks. The latest version introduces many changes designed to promote security as a continuous process, with the ability to evolve as threats change.
A key area of focus for v4.0 is the need to monitor and manage browser scripts as the PCI industry works to stay a step ahead of emerging cyberattack strategies. Scripts play a crucial role in creating the personalized, regionalized experiences that online shoppers expect and demand. However, they are a growing threat vector.
Shifting threat surface
To date, there has been more focus on back-end threats to servers but this is now changing in response to increased risk of front-end browser attacks. The massive Magecart form-jacking attacks that made headlines haven’t gone away—they’ve simply evolved as attackers change tactics and target client-side vulnerabilities in the browser. Malware can be injected into JavaScript code to either skim credit card data or serve up fake payment forms. Preventing this avenue of attack is a major goal of the new security standard.
Specific PCI DSS v4.0 requirements related to browser security include implement methods to confirm that each script is authorized, assure the integrity of each script and maintain an inventory of all scripts with written justification as to why each script is necessary (section 6.4.3); and ensure that unauthorized changes on payment pages are detected and responded to (section 11.6).
Promoting script awareness for PCI DSS Compliance
A key theme is that script awareness needs to be a continuous area of operational focus—not just sporadically, quarterly or annually. Given the tremendous number of scripts running in today’s e-commerce websites, trying to keep track of all script activity—especially changes to scripts—using manual methods is unwieldy, if not impossible. Automating the process of monitoring scripts will reduce the chance of missing any changes that require attention.
Detecting changes in highly dynamic applications is a challenge. You must also understand what has changed, quickly determine the risk of the change, and have a clear protocol or policy defining how to respond. This must all be done without impacting the user experience or adversely impacting the agility of the development teams.
The value of collaboration
While technology plays a role in automating some of these processes, PCI DSS v4.0 also provides another good reason for close collaboration among Fraud, Security, and Risk Management teams. While these groups have tended to operate separately, the unique nature of front-end attacks require a coordinated approach. Ensuring all of these teams are aware of PCI DSS, the particular importance of “script awareness” and solutions available to address the requirements is crucial to ensure compliance and minimize risk.
Of course, technology will play a key role in automating script management. Making sure that solutions from technology partners are themselves PCI DSS compliant is critical. Understanding a partner’s roadmap for compliance with v4.0 will help you evaluate that relationship as the 2025 deadline for implementation approaches. Will they have functionality for inventorying and managing scripts? Will they make it easy to monitor for specific authorized behaviors to identify suspicious scripts while reducing false positives? Do they already have this functionality or does it exist only on a whiteboard?
Your PCI DSS defense starts now
Expanding threats require additional protections. PCI DSS v4.0 lays out a set of new safeguards that can help address the growing threats targeting the payment industry. The new requirements do not become effective until early 2025. But taking steps now to achieve compliance will go a long way to protecting your business and your customers’ data.
Here’s the good news: There are solutions—both technical and operational—to address the challenge. Being vigilant, raising your script security awareness and implementing technology that helps automate and simplify script monitoring and management will position you for PCI DSS v4.0 compliance while helping thwart the card skimmers.
