fbpx
PaymentsJournal
SUBSCRIBE
  • Analysts Coverage
  • Truth In Data
  • Podcasts
  • Videos
  • Industry Opinions
  • COVID-19
  • News
  • Resources
No Result
View All Result
PaymentsJournal
  • Analysts Coverage
  • Truth In Data
  • Podcasts
  • Videos
  • Industry Opinions
  • COVID-19
  • News
  • Resources
No Result
View All Result
PaymentsJournal
No Result
View All Result

PCI DSS v4.0 Compliance: Raising Your Script Security Awareness

Patrick Sullivan by Patrick Sullivan
August 5, 2022
in Data, Featured Content, Industry Opinions, Security
0
Technical Challenge or Business Enabler? Seizing the Opportunity of PCI DSS Compliance

Technical Challenge or Business Enabler? Seizing the Opportunity of PCI DSS Compliance

0
SHARES
0
VIEWS
Share on FacebookShare on TwitterShare on LinkedIn

Browser security is now mission-critical for any organization that processes payments online. This reality is a key element of the new Payment Card Industry Data Security Standard (PCI DSS) released in March of this year with full implementation required by 2025.

Driven by industry feedback, PCI DSS v4.0 strengthens protection of payment data with new controls designed to address the increasing sophistication of cyberattacks. The latest version introduces many changes designed to promote security as a continuous process, with the ability to evolve as threats change.

A key area of focus for v4.0 is the need to monitor and manage browser scripts as the PCI industry works to stay a step ahead of emerging cyberattack strategies. Scripts play a crucial role in creating the personalized, regionalized experiences that online shoppers expect and demand. However, they are a growing threat vector.

Shifting threat surface

To date, there has been more focus on back-end threats to servers but this is now changing in response to increased risk of front-end browser attacks. The massive Magecart form-jacking attacks that made headlines haven’t gone away—they’ve simply evolved as attackers change tactics and target client-side vulnerabilities in the browser. Malware can be injected into JavaScript code to either skim credit card data or serve up fake payment forms. Preventing this avenue of attack is a major goal of the new security standard.


Specific PCI DSS v4.0 requirements related to browser security include implement methods to confirm that each script is authorized, assure the integrity of each script and maintain an inventory of all scripts with written justification as to why each script is necessary (section 6.4.3); and ensure that unauthorized changes on payment pages are detected and responded to (section 11.6).

Promoting script awareness for PCI DSS Compliance

A key theme is that script awareness needs to be a continuous area of operational focus—not just sporadically, quarterly or annually. Given the tremendous number of scripts running in today’s e-commerce websites, trying to keep track of all script activity—especially changes to scripts—using manual methods is unwieldy, if not impossible. Automating the process of monitoring scripts will reduce the chance of missing any changes that require attention.

Detecting changes in highly dynamic applications is a challenge. You must also understand what has changed, quickly determine the risk of the change, and have a clear protocol or policy defining how to respond. This must all be done without impacting the user experience or adversely impacting the agility of the development teams.

The value of collaboration

While technology plays a role in automating some of these processes, PCI DSS v4.0 also provides another good reason for close collaboration among Fraud, Security, and Risk Management teams. While these groups have tended to operate separately, the unique nature of front-end attacks require a coordinated approach. Ensuring all of these teams are aware of PCI DSS, the particular importance of “script awareness” and solutions available to address the requirements is crucial to ensure compliance and minimize risk.

Of course, technology will play a key role in automating script management. Making sure that solutions from technology partners are themselves PCI DSS compliant is critical. Understanding a partner’s roadmap for compliance with v4.0 will help you evaluate that relationship as the 2025 deadline for implementation approaches. Will they have functionality for inventorying and managing scripts? Will they make it easy to monitor for specific authorized behaviors to identify suspicious scripts while reducing false positives? Do they already have this functionality or does it exist only on a whiteboard?

Your PCI DSS defense starts now

Expanding threats require additional protections. PCI DSS v4.0 lays out a set of new safeguards that can help address the growing threats targeting the payment industry. The new requirements do not become effective until early 2025. But taking steps now to achieve compliance will go a long way to protecting your business and your customers’ data.

Here’s the good news: There are solutions—both technical and operational—to address the challenge. Being vigilant, raising your script security awareness and implementing technology that helps automate and simplify script monitoring and management will position you for PCI DSS v4.0 compliance while helping thwart the card skimmers.

Tags: Akamai Technologiesbrowser scriptsbrowser securityPaymentsPCI-DSStechnology
0
SHARES
0
VIEWS
Share on FacebookShare on TwitterShare on LinkedIn

    Analyst Coverage, Payments Data, and News Delivered Daily
    Sign up for the PaymentsJournal Newsletter to get exclusive insight and data from Mercator Advisory Group analysts and industry professionals.

    Must Reads

    Account Takeover Fraud Is Getting More Sophisticated. How Can We Beat It?

    How to Protect Consumers from Account Takeover Fraud

    August 8, 2022
    Technical Challenge or Business Enabler? Seizing the Opportunity of PCI DSS Compliance

    PCI DSS v4.0 Compliance: Raising Your Script Security Awareness

    August 5, 2022
    Reexamining Buy Now Pay Later as PayPal Makes a Bigger Move

    Reexamining Buy Now, Pay Later as PayPal Makes a Bigger Move

    August 4, 2022
    Putting AI and Machine Learning to Work Against Fraud for Banks, PSPs, and Merchants

    Putting AI and Machine Learning to Work Against Fraud for Banks, PSPs, and Merchants   

    August 3, 2022
    Global Payments report

    The Global Payments Report from FIS

    August 2, 2022
    Rillion Rebrands and Launches AP Automation in the U.S. Market

    Eliminating month-end reporting headaches with AP automation

    August 1, 2022
    Can Clients Cash in on Your CX Promises?

    Can a Loyal Customer Base Help Banks Ride Out Inflation Threats?

    July 29, 2022
    The Promise of DeFi Lending Services

    The Promise of DeFi Lending Services

    July 28, 2022

    • Advertise With Us
    • About Us
    • Terms of Use
    • Privacy Policy
    • Subscribe
    ADVERTISEMENT
    • Analysts Coverage
    • Truth In Data
    • Podcasts
    • Videos
    • Industry Opinions
    • COVID-19
    • News
    • Resources

    © 2022 PaymentsJournal.com

    • Analysts Coverage
    • Truth In Data
    • Podcasts
    • Industry Opinions
    • Faster Payments
    • News
    • Jobs
    • Events
    No Result
    View All Result