By Rui Ribeiro, CEO and Co-Founder, Jscrambler
2024 was another big year for e-skimming attacks. According to Recorded Future, Magecart or e-skimming incidents increased by 103% in the first half of 2024 compared to previous periods.
One example that may ring true with American football fans, especially those in Wisconsin, involved the Green Bay Packers. In early January, the team revealed that malicious code had been discovered on its Pro Shop website, potentially allowing an unauthorized third party to access customer information entered at checkout.
Incidents like this are not rare. They’re becoming increasingly common. According to Jscrambler’s 2024 research, 97% of respondents indicated they know that third-party tags collect sensitive or private information regularly. In addition, 49% admitted that in the previous 12 months, these tags collected data they were not supposed to. This includes site traffic, website form data, login, order, social media information, customer account details, and more.
New PCI DSS v4.0 Compliance Requirements Imminent
Insights like this have driven the Payment Card Industry Security Standards Council (PCI SSC) to introduce PCI DSS v4.0, a direct response to the escalating cyber threats targeting payment environments.
With the March 31 compliance deadline for the new requirements in the latest version quickly approaching, any business that stores, processes, transmits or could impact the security of cardholder data (CHD) must take notice. This includes merchants, payment processors, financial institutions, and others.
Understanding Requirements 6.4.3 and 11.6.1
At first glance, v4.0 may appear daunting, including over 60 updated requirements. But I’m going to make it easier by focusing only on the two critical requirements for preventing unauthorized JavaScript manipulation and skimming attacks, 6.4.3 and 11.6.1.
As you begin your journey to compliance, it’s essential to grasp the specifics of these two requirements:
Requirement 6.4.3: Script Management
This requirement ensures that all scripts loaded on payment pages are properly managed. For businesses, this means:
- Confirming that all scripts are authorized and necessary.
- Assuring the integrity of each script.
- Maintaining a current inventory of all scripts running on payment pages.
To create a script inventory, start by identifying all payment pages that collect payment card data. For some merchants, this might be just one page; for others, there may be multiple. Next, document each script’s name, function, origin (was it developed in-house or by a third party), justification on why it’s necessary, and how and by whom it is authorized.
Maintaining this inventory is an ongoing process that will help teams identify unauthorized or malicious scripts, ensure ongoing compliance with PCI DSS v4.0, and protect against costly client-side attacks such as Magecart or e-skimming, which continue to grow in frequency:
- According to Verizon’s 2024 Data Breach Investigations Report, Magecart attacks accounted for 18% of all data breaches in the retail sector.
- In 2024, Arizona-based retailer SelectBlinds disclosed a massive e-skimming data breach that affected 206,238 customers.
Requirement 11.6.1: Monitoring and Alerting
For this requirement, the emphasis shifts to monitoring payment pages for unauthorized changes. Here, businesses need to:
- Implement mechanisms to detect unauthorized changes.
- Ensure these checks occur at least weekly.
- Use monitoring systems that can generate timely alerts to notify personnel of potential threats, allowing for rapid response.
Regular checks are crucial, and given the frequency of required checks and the complexity of modern web environments, you should quickly abandon any thoughts of manually sifting through scripts. This approach is impractical, especially considering the number of scripts businesses use today. Instead, companies should adopt automated solutions that enable continuous monitoring. Automation ensures faster issue detection and more efficient responses, helping to meet compliance standards while safeguarding customer data.
Beyond Compliance: Proactive Measures
While achieving PCI DSS v4.0 compliance is a critical milestone, businesses must go further to secure their payment ecosystems. Some actions to consider include:
- Define script-specific access rules to restrict or allow access to sensitive fields based on business needs. For instance, scripts accessing payment details can be blocked while allowing limited access to non-sensitive data.
- Implement domain-specific security policies that dynamically adjust to user actions, such as login status or the sensitivity of the data being processed.
- Employ behavioral controls to limit third-party tag functionality and prevent unauthorized access or data leakage.
- Use real-time threat mitigation tools to detect and block malicious activities instantly. This will protect you against advanced threats like Magecart attacks, keylogging, and credential hijacking.
Building a Secure Future
The March 31, 2025, compliance deadline represents a pivotal moment for the payments industry. However, to stay ahead of cyber threats and deliver seamless, secure payment experiences, businesses should take additional steps beyond the baseline standards of PCI DSS version 4.
Payment executives must adopt a client-side protection strategy to secure their digital ecosystems fully. By implementing solutions that offer real-time control, continuous visibility, and proactive threat mitigation, businesses can safeguard sensitive customer data, maintain compliance, and uphold their reputations in an increasingly digital world.
About the Author
Rui Ribeiro is the CEO and co-founder of Jscrambler. An
entrepreneur and innovator, he has led the company from
a start-up to a leader in client-side web application security.
He has co-authored several application security patents
and is passionate about helping companies innovate quickly
while knowing their applications are secure.
Recent PaymentsNEXT news:
5 Areas in Card Transactions Where FIs Lose Up to 50% of Profit