PaymentsJournal
SUBSCRIBE
  • Analysts Coverage
  • Truth In Data
  • Podcasts
  • Videos
  • Industry Opinions
  • News
  • Resources
No Result
View All Result
PaymentsJournal
  • Analysts Coverage
  • Truth In Data
  • Podcasts
  • Videos
  • Industry Opinions
  • News
  • Resources
No Result
View All Result
PaymentsJournal
No Result
View All Result

PCI DSS v4.0 Compliance: Raising Your Script Security Awareness

Patrick Sullivan by Patrick Sullivan
August 5, 2022
in Data, Featured Content, Industry Opinions, Security
0
Technical Challenge or Business Enabler? Seizing the Opportunity of PCI DSS Compliance

Technical Challenge or Business Enabler? Seizing the Opportunity of PCI DSS Compliance

0
SHARES
0
VIEWS
Share on FacebookShare on TwitterShare on LinkedIn

Browser security is now mission-critical for any organization that processes payments online. This reality is a key element of the new Payment Card Industry Data Security Standard (PCI DSS) released in March of this year with full implementation required by 2025.

Driven by industry feedback, PCI DSS v4.0 strengthens protection of payment data with new controls designed to address the increasing sophistication of cyberattacks. The latest version introduces many changes designed to promote security as a continuous process, with the ability to evolve as threats change.

A key area of focus for v4.0 is the need to monitor and manage browser scripts as the PCI industry works to stay a step ahead of emerging cyberattack strategies. Scripts play a crucial role in creating the personalized, regionalized experiences that online shoppers expect and demand. However, they are a growing threat vector.

Shifting threat surface

To date, there has been more focus on back-end threats to servers but this is now changing in response to increased risk of front-end browser attacks. The massive Magecart form-jacking attacks that made headlines haven’t gone away—they’ve simply evolved as attackers change tactics and target client-side vulnerabilities in the browser. Malware can be injected into JavaScript code to either skim credit card data or serve up fake payment forms. Preventing this avenue of attack is a major goal of the new security standard.


Specific PCI DSS v4.0 requirements related to browser security include implement methods to confirm that each script is authorized, assure the integrity of each script and maintain an inventory of all scripts with written justification as to why each script is necessary (section 6.4.3); and ensure that unauthorized changes on payment pages are detected and responded to (section 11.6).

Promoting script awareness for PCI DSS Compliance

A key theme is that script awareness needs to be a continuous area of operational focus—not just sporadically, quarterly or annually. Given the tremendous number of scripts running in today’s e-commerce websites, trying to keep track of all script activity—especially changes to scripts—using manual methods is unwieldy, if not impossible. Automating the process of monitoring scripts will reduce the chance of missing any changes that require attention.

Detecting changes in highly dynamic applications is a challenge. You must also understand what has changed, quickly determine the risk of the change, and have a clear protocol or policy defining how to respond. This must all be done without impacting the user experience or adversely impacting the agility of the development teams.

The value of collaboration

While technology plays a role in automating some of these processes, PCI DSS v4.0 also provides another good reason for close collaboration among Fraud, Security, and Risk Management teams. While these groups have tended to operate separately, the unique nature of front-end attacks require a coordinated approach. Ensuring all of these teams are aware of PCI DSS, the particular importance of “script awareness” and solutions available to address the requirements is crucial to ensure compliance and minimize risk.

Of course, technology will play a key role in automating script management. Making sure that solutions from technology partners are themselves PCI DSS compliant is critical. Understanding a partner’s roadmap for compliance with v4.0 will help you evaluate that relationship as the 2025 deadline for implementation approaches. Will they have functionality for inventorying and managing scripts? Will they make it easy to monitor for specific authorized behaviors to identify suspicious scripts while reducing false positives? Do they already have this functionality or does it exist only on a whiteboard?

Your PCI DSS defense starts now

Expanding threats require additional protections. PCI DSS v4.0 lays out a set of new safeguards that can help address the growing threats targeting the payment industry. The new requirements do not become effective until early 2025. But taking steps now to achieve compliance will go a long way to protecting your business and your customers’ data.

Here’s the good news: There are solutions—both technical and operational—to address the challenge. Being vigilant, raising your script security awareness and implementing technology that helps automate and simplify script monitoring and management will position you for PCI DSS v4.0 compliance while helping thwart the card skimmers.

Tags: Akamai Technologiesbrowser scriptsbrowser securityPaymentsPCI-DSStechnology
0
SHARES
0
VIEWS
Share on FacebookShare on TwitterShare on LinkedIn

    Analyst Coverage, Payments Data, and News Delivered Daily

    Sign up for the PaymentsJournal Newsletter to get exclusive insight and data from Mercator Advisory Group analysts and industry professionals.

    Must Reads

    cross-border payments

    Cross-Border Payments: Fighting
    E-Commerce Fraud Using Data

    March 20, 2023
    fraud, ChatGPT-4

    How to Fight Fraud While Still Enabling a Great Online Customer Experience

    March 17, 2023
    RTP

    Financial Institutions Without an RTP Strategy Risk Being Left Behind

    March 16, 2023
    visa chargeback

    New Visa Chargeback Guidelines Will Be a Game Changer

    March 15, 2023
    liquidity management

    Liquidity Management Takes on Increasing Importance in Uncertain Economic Times

    March 14, 2023
    payments

    Key Challenges from Growing Payment Methods and Volume

    March 13, 2023
    Data Governance is a Journey, financial data

    How FIs Can Power Their Operations with a Modern Data Architecture

    March 10, 2023
    ISO 20022

    How Banks Can Realize Business Benefits and Reduce Payments Fraud With ISO 20022

    March 9, 2023

    Linkedin-in Twitter

    Advertise With Us | About Us | Terms of Use | Privacy Policy | Subscribe
    ©2023 PaymentsJournal.com

    • Analysts Coverage
    • Truth In Data
    • Podcasts
    • Videos
    Menu
    • Analysts Coverage
    • Truth In Data
    • Podcasts
    • Videos
    • Industry Opinions
    • Recent News
    • Resources
    Menu
    • Industry Opinions
    • Recent News
    • Resources
    • Analysts Coverage
    • Truth In Data
    • Podcasts
    • Industry Opinions
    • Faster Payments
    • News
    • Jobs
    • Events
    No Result
    View All Result