PCI London 2023: Taming the Client-Side Security Frontier
February 7th, 2023 | By Jscrambler | 4 min read
“I don’t have full control and visibility over third-party scripts on my website" is the most common concern we heard from security and risk professionals at PCI London 2023.
The event’s theme, 'Unravelling PCI DSS 4.0: Making the Great Leap Forward', was spot-on, as many people we encountered wanted to understand how new requirements would impact their business. More detailed:
Requirement 11.6.1 requires changes to scripts and page headers to be detected on payment pages, and the appropriate alerts generated.
Jscrambler's free PCI DSS 4.0 compliance tool helps Merchants achieve compliance with requirements 6.4.3 and 11.6.1 of PCD DSS v4.0 and QSAs to validate compliance.
Insight from InfoSec Leaders About Preparing for PCI DSS v4
Client-side security (or what happens in the user browser) has typically been a low priority and not understood. Our advice is to start with the fundamentals:
Understand what they are doing and why;
Determine which Scripts should be allowed to access data in forms on payment pages and stop ones that should not from doing so.
Why is client-side security important?
The client-side is essentially the Wild Wild West of cybersecurity, a mostly untamed frontier that presents a huge vista of risk.
While network and server security has experienced much progress over the last decade, there is a state of lawlessness associated with the user’s browser, even though organizations can be held responsible for data leakage.
A recent survey showed that 99% of security professionals reported their website uses at least one third-party script, and more than 50% believed there was some or lots of risk associated with it. Yet over 50% stated that the third-party scripts running on their web properties change four or more times every year, but only 34% of respondents said they can detect changes or updates.
This supports a recent study Jscrambler conducted of 20 highly trafficked e-commerce websites in the US. One site had 249 third-party scripts loaded on the payment page. Another had 118 third-party domains receiving data from the payment page.
It seems impossible to imagine a world where security teams would let third-party code libraries run amok on their servers. Yet that is precisely what happens on websites every day. The attack surface has silently moved from the confines of corporate infrastructure that InfoSec teams can control to the consumer browser.
It’s time to change that, whether PCI DSS v4 is a concern or not.
Requirements 6.4.3 and 11.6.1: Protecting sensitive data
Requirements 6.4.3 and 11.6.1 won’t be enforced until April 1, 2025, but data is being stolen every day. Lots of it.
A recent study showed that in Q3 2022, nearly 109 million accounts were breached (a 70% increase over the prior quarter), or 14 accounts every second. Consider how much sensitive data people enter into websites every day. It is time to stop the leakage, especially where payment data is a concern.
It can take at least two years to implement a solution that aligns with the new PCI DSSv4 standards. For many large enterprises, the timeline will look like this:
2023: Identify gaps and analyze risk, investigate vendor solutions;
2024: Get the budget and resources needed, implement a solution, and refine it;
April 1, 2025: Be prepared to meet the new standards.
We suggest now is the time to start preventing skimming attacks and other accidental forms of data leakage through the browser, so that you are ready for 4.0, but just as importantly, start reducing your risk sooner rather than later.
Must read next
PCI SSC welcomes Jscrambler's CTO Pedro Fortuna to its Board of Advisors
Pedro Fortuna is one of 52 members of the 2023-2025 PCI SSC Board of Advisors.
June 12, 2023 | By Jscrambler | 4 min read
Preventing Skimming Attacks and Enabling PCI DSS Compliance
E-commerce skimming = the majority of attacks against payment card data. The newest version of PCI DSS contains requirements aimed at preventing attacks.
June 21, 2022 | By John Elliott | 5 min read