PCI SSC Europe Community Meeting 2023 in review: E-Skimming, PSPs, and JavaScript Security

The most recent iteration of the PCI SSC Community Meetings happened in Dublin, Ireland, at the end of October.

Participants are now transitioning from education to taking action to achieve PCI DSS v4.0 compliance, showing special concern for the requirements dealing with sensitive data. Jscrambler’s team was once again present at the event and gathered some takeaways that are relevant to share.

E-skimming attacks are advancing. 

Jscrambler’s CTO and co-founder Pedro Fortuna, a member of the PCI Security Standards Council Board of Advisors, gave a presentation on “Securing Different Types of Payment Pages from E-commerce Skimming Attacks”.

New skimming attack patterns have been evolving to circumvent controls and compromise payment page data. Different attack methods are being applied on different payment page builds, either where a payment form is directly embedded on a page or where it is embedded in a page using an iFrame.

Learn more: 12 Checklist Items for Defeating Magecart Attacks.

Jscrambler’s analysts have been busy working on identifying and mitigating these new techniques.

“eSkimming attacks are going beyond simple skimming of the payment form. The parent page or even other pages can be targeted - it’s urgent to take action”.

- Pedro Fortuna, CTO 

PSPs are now in the mix.

Merchants, QSAs (Qualified Security Assessors), and PSPs (Payment Service Providers) are starting to prioritize compliance with PCI DSS v4.0.

Learn more: Preparing QSAs for PCI DSS v4.0.

These concerns are taking center stage and professionals are more aware that they need to wrap their head around the technological needs that will have to be implemented to support compliance.

“PSPs outnumbered QSAs and Merchants in Dublin as opposed to more QSAs and Merchants in Portland. And we see that they’re also looking for a specific solution as well” 

- Carlos Rocha Gonçalves, VP of Growth & Partnerships

Let’s get practical with PCI.

As a Principal Participating Organization of the PCI Security Standards Council (PCI SSC), Jscrambler has been present in several events focused on PCI DSS. In late 2023, Jscrambler achieved PCI-DSS 4.0 version compliance.

From the beginning of 2023, it’s noticeable a significant shift in the landscape. In earlier gatherings, people were just getting acquainted with the latest iteration of PCI DSS and trying to grasp what the 4.0 version had in store, as well as the steps required for compliance.

Fast forward to now, and the clock is ticking loudly. More substantial discussions are now taking center stage. Companies are increasingly focused on this issue, and the pressing concern revolves around carving out budgetary space to accommodate the necessary solutions they'll need to employ.

John Elliott (Security Advisor at Jscrambler) also gave an impactful presentation on managing JavaScript in e-commerce, highlighting the internal processes a company has to put in place to navigate new requirements, including 6.4.3 and 11.6.1. Focusing on how a company needs to manage things is helping clarify the real needs and even identify blindspots that need to be addressed.

“It was notable that many attendees came by our booth with a specific goal in mind - looking for solutions to comply with requirements 6.4.3 and 11.6.1"

- Jeffrey Cleveland, Sales Engineer

Pull back the curtain with vendor Tech Talks.

There were eleven vendors Tech Talks at the event focusing on showcasing how to comply with the latest PCI DSS requirements, with four solution providers presenting solutions specifically for requirements 6.4.3 and 11.6.1. 

Jscrambler’s Tech Talk focused on demonstrating full script visibility and business justification for requirement 6.4.3, and management, control, and alerting for requirement 11.6.1. 

Pedro Fortuna added “As we near the final year of preparation for PCI DSS v4.0, these events become key for decision-making and knowledge sharing.

We are eager to not only help companies develop the right strategies for meeting compliance demands but also to ensure their customer’s safety and privacy are consistently being protected.

We look forward to the upcoming PCI-focused events in 2024, where we will further guide attendees on the latest payment threats and best practices for payment security.”.

Jscrambler can help you answer these two requirements.

Schedule time with a Jscrambler specialist to see a demo that will solve your business needs.

Jscrambler's PCI DSS v4.0 tool helps merchants achieve compliance with requirements 6.4.3 and 11.6.1 and QSAs to validate this compliance.

Join us on November 15 for the first installment of Jscrambler’s Road to PCI DSS v4.0, with our Security Advisor John Elliott’s views on the challenges of managing e-commerce JavaScript.