Third-party scripts in e-commerce websites: is payment data at risk?
February 22nd, 2023 | By Jscrambler | 3 min read
Why is the research about Third-Party risk on E-commerce websites important?
The main goal of the research is to highlight the importance of having visibility and control over the scripts that are present on the payment pages, especially on e-commerce websites. Popular e-commerce sites in North America and Europe were selected for analysis in order to understand the scope of the problem and potential points of failure. We looked at the number of scripts on the payment pages controlled by third parties.
Research results, developed by Jscrambler
Our findings indicate that the possible attack surface is huge unless these sites find a way to identify, monitor, and control the behavior of third-party Scripts.
For these reports, 20 highly trafficked e-commerce websites with more than $50 million in revenue were selected. They are from diverse industries, including health, personal care, retail, groceries, home goods, consumer electronics, and airlines.
The data collected focused on the payment pages. All data was collected using Jscrambler’s Webpage Integrity, a holistic solution to detect and block, in real-time, malicious behavior on the client side of web applications.
Consider the potential damage if even one script is compromised; now multiply that by 100. Some of these e-commerce companies register hundreds of third-party scripts on their payment pages. We are witnessing a level of risk that demands action.
60% of the analyzed websites have more than 10 different vendors on their payment pages.
On average, 148 scripts are being loaded on the payment page; of these, 58% are third-party.
One of the analyzed websites did not allow the retrieval of data.
80% of the analyzed websites have more than 10 different vendors on their payment pages.
On average, 132 scripts are loaded on the payment page, and of these, 97% are third-party.
All websites allowed the retrieval of data.
In general, it’s important for website owners to carefully consider the use of third-party scripts and to only include those that are necessary for the website to function properly.
Implementing an automated client-side security solution will help in the process of continuously monitoring these “foreign” scripts. Such a solution can also help the website comply with mandatory or recommended regulations.
Preventing Digital Skimming Attacks: what should be done?
Companies need to adopt a proactive approach to client-side security, restricting the behaviors of website scripts to prevent them from tampering with forms and/or leaking sensitive data.
Jscrambler's Approach to Client-Side Security
Jscrambler’s Webpage Integrity (WPI) is a holistic solution to detect and block, in real-time, unauthorized behavior on the client side of web applications.
It prevents the leaking or scraping of sensitive data and protects against web supply chain attacks. WPI also addresses both of the new requirements in PCI DSS version 4.
The PCI DSS v4.0 New Requirements and Client-Side Security
Regulations and standards that aim to protect Personally Identifiable Information (PII) are becoming increasingly prominent, especially regarding the protection of payment pages.
The Payment Card Industry (PCI) Data Security Standard (DSS) emerges as a highlight standard for all organizations that store, process, or transmit payment card data, and its latest version, 4.0, was released in March 2022. It has 64 new requirements that organizations seeking compliance must fulfill.
In an effort to curtail skimming (Magecart) attacks, two of these requirements focus on the integrity of pages where payment is taken. These are:
Requirement 11.6.1 requires changes to scripts and page headers to be detected on payment pages, and the appropriate alerts generated.
Try a free trial to gain visibility over your E-commerce website scripts with Jscrambler's Webpage Integrity solution.
Learn more about how Jscrambler can help you effectively manage third-party risk, mitigate payment data risks to your organization, and defend your business from client-side attacks.
Must read next
Preventing Skimming Attacks and Enabling PCI DSS Compliance
E-commerce skimming = the majority of attacks against payment card data. The newest version of PCI DSS contains requirements aimed at preventing attacks.
June 21, 2022 | By John Elliott | 5 min read
Jscrambler to partner with PCI Security Standards Council to help secure payment data worldwide
Jscrambler has joined the PCI Security Standards Council (PCI SSC) as a new Principal Participating Organization. Jscrambler will help drive the future of global payment security with a strategic...
March 21, 2023 | By Jscrambler | 2 min read