Preventing Skimming Attacks and Enabling PCI DSS Compliance

E-commerce skimming, also known as form-jacking or Magecart attacks, represents the majority of criminal attacks against payment card data. They are simple to do and are hidden from the merchant or retailer, and the cardholder. It is for this reason that the newest version of PCI DSS now contains requirements aimed at preventing and detecting these types of attacks.

In this blog post, let’s look at these attacks and the steps toward prevention.

Any JavaScript running in a web page can access all data entered into form fields on that page. Criminals, therefore, want to have their own JavaScript loaded into any web page that collects payment card data, because then their own criminal JavaScript can transparently read the cardholder data as it is entered by the cardholder, and silently send the data to a server controlled by the criminal. The attack can remain undetected for many months because it is completely silent and doesn’t interfere with the payment process.

The criminal can either place their malicious script in any JavaScript loaded from the company’s own web servers, or they can insert their malicious script into the supply chain of any JavaScript that is loaded into the consumer browser from a third party or even a fourth party. Therefore the attack surface an e-commerce company has to manage is any JavaScript that is loaded into their web pages - whether that is from their own web servers or from any third parties.

Given the way that modern web applications are built, a web page typically will contain 104 JavaScript libraries loaded from multiple locations. Every JavaScript is a potential entry point for the attacker—which means that the average web application provides dozens of different entry points that can be exploited by criminals.

The Payment Card Industry (PCI) Data Security Standard (DSS) is the industry standard applicable to all organizations that store, process or transmit cardholder data or who can affect the security of cardholder data. It is managed by the Payment Card Industry Security Standards Council (PCI SSC) and enforced by the major card brands such as Visa and Mastercard.

The latest version of PCI DSS (v4.0) contains two new requirements to protect against, and to detect, these E-commerce skimming attacks.

The first of these requirements (6.4.3) aims to prevent these attacks by limiting and managing the attack surface by ensuring that organizations:

• Maintain an inventory of every script on the payment page;

• Ensure each script is approved, and that the reason for the script’s use is documented;

• Ensure the integrity of every script - so that the script loaded into the consumer’s browser hasn’t been tampered with or altered.
  

The second requirement (11.6.1) requires organizations to detect unauthorized modifications (i.e., tampering) of any scripts, and then to produce an alert, so the malicious script can be reviewed by the website owner.

Jscrambler’s client-side security platform enables compliance with both of the new PCI DSS requirements by providing a real-time inventory of scripts, validating the integrity of the script and providing an alert when a script has been tampered with.

Additionally, Jscrambler goes one important step further than the requirement and will terminate the execution of any tampered script, therefore preventing a successful attack. In simple terms, Jscrambler provides JavaScript inventory, management, tamper detection and tamper prevention.

There are, of course, other ways of meeting these requirements such as the use of a Content Security Policy (CSP) to define what scripts can be loaded and Subresource Integrity (SRI), which can validate the integrity of every script. However, practically these solutions are hard to implement and are both difficult and resource-intensive to maintain.

Jscrambler’s Webpage Integrity can be added to even the most complex websites in under a day and requires minimal resources to manage. In fact, an organization can outsource the management and response to any alerts to Jscrambler who are experts in detecting and defeating malicious JavaScript.

This new version of PCI DSS becomes mandatory from 1st April 2024, however, like many of the new requirements in the standard, the ones designed to defeat E-commerce skimming attacks only become mandatory after 1st April 2025. Until that date, they are described as a best practice.

Two high-profile E-commerce skimming attacks have resulted in regulatory action under the GDPR because payment card data is personal data. In the case of British Airways, the skimming code was added to a library located on an internal web server, and in the case of Ticketmaster, the third-party provider of a real-time chat application was targeted by the criminals.

In both cases, the failure of the company to put in place appropriate technical measures to prevent such skimming attacks was found to be a breach of the GDPR’s security principle by the UK’s Information Commissioner’s Office who has commented on “the clear risk of third party scripts within a payment page”.

Although the new requirements in PCI DSS are not mandatory until April 2025, they are indicated as a “best practice” until this date. However regulators are aware of the danger of skimming attacks, and organizations should consider whether, given the state of the art in protecting against such attacks by using products such as Jscrambler’s client-side security platform, implementing such protections in advance of the PCI DSS deadline would be beneficial to meet the test of “appropriateness” in GDPR.

While the path towards compliance might at first seem strenuous, there’s a clear first step to satisfy the new requirements introduced in PCI DSS v4.0: creating an inventory of all JavaScript present in the website.

E-commerce applications contain many JavaScript modules and libraries, any one of which may be attacked by a criminal to include malicious JavaScript. So the first step for any defender is to understand the total JavaScript attack surface and answer these three questions:

• What’s that script for?

• Where is it being loaded from?

• How much do I trust it?
  
  

Jscrambler’s Webpage Integrity creates an inventory of the JavaScript on your E-commerce site in real-time based on what’s seen in the consumer browser. By having an inventory that is kept continuously updated, your organization gets full visibility of its exposure to third-party JavaScript and enables compliance with the new PCI DSS v4.0 requirements.

Take the first step towards client-side security and compliance today by requesting a free website inventory report!