In an increasingly digitized world, new payment channels continue to emerge. Rapid adoption of online ordering, in-app experiences and other digital payments are enabling consumers with new opportunities to shop and pay online. But cybercriminals have become digital innovators too, looking for opportunities to expose new digital channels, and take advantage of consumers and businesses by launching new attacks and doubling down on proven tactics such as phishing for credentials.
This steady rise of security threats has had a tremendous impact throughout the payments industry. And while investing in innovative technologies, such as AI and machine learning, can help mitigate payments fraud, understanding where sophisticated attacks may occur and how new tools and protocols tools protect merchants is critical.
For instance, attacks on JavaScript management are a growing concern since they exploit vulnerabilities in websites and web applications. To put the impact in perspective, Magecart attacks cost up to $3.2B annually1, are the primary method for stealing sensitive payment data2, and account for 18% of all retail breaches2.
Because of this, it is mandatory for merchants overseeing payment card data to follow industry standards, such as PCI DSS. This establishes a foundation of security and trust between customers and the businesses they buy from. A new PCI DSS 4.0 security standard took effect in April 2024, and full enforcement is scheduled for March 2025. PCI DSS 4.0 is critical to building more robust data security measures. If not followed, data breaches may result in financial loss, damage to brand reputation, regulatory compliance issues, loss of trust and loyalty from customers, and legal risks.
This updated PCI framework introduces significant changes that combat JavaScript-based attacks including eSkimming, Magecart, clickjacking, and formjacking.
- eSkimming and Magecart target payment card data during online transactions. These attacks often involve injecting malicious code into payment processing pages or compromising third-party scripts to steal payment information, resulting in data theft.
- Clickjacking is the name for when an attacker deceives someone into clicking on something different from what the person believes is true, essentially hijacking their clicks.
- Formjacking is a type of cyberattack where criminals insert malicious code into the forms on legitimate websites, typically e-commerce or payment sites, to steal sensitive data.
All four of these security threats target customer-facing webpages and payment pages from JavaScript-based attacks.
The impact of breaches highlights the importance of having robust cybersecurity measures, compliance with industry standards like PCI DSS, and proactive monitoring and response strategies to mitigate threats and protect sensitive data.
PCI DSS 4.0 Requirements
The new PCI DSS standard addresses specific JavaScript-based security concerns related to attacks and enhances the overall protection of sensitive data, including:
- Requirement 6.4.3: Requires that all payment page scripts are managed. Merchant must implement a method to authorize and assure the integrity of each script. They must also maintain an inventory of all payment page scripts and provide justification.
- Requirement 11.6.1: Requires merchants to detect and respond to unauthorized changes on payment pages. Businesses must monitor Payment Page headers for changes at least once every seven days. They must also alert and block all malicious scripts on payment pages.
In PCI DSS v4, the scope has been expanded to include payment pages scripts, even if they use an iframe or a hosted checkout, through requirements 6.4.3 and 11.6.1.
PCI DSS is a set of security standards to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment. The standard includes requirements for building and maintaining a secure network, protecting cardholder data, implementing strong access control measures, regularly monitoring and testing networks, and maintaining an information security policy. Compliance with PCI DSS is mandatory for any business that manages credit card transactions to ensure payment card data security and prevent data breaches.
How Fiserv can help
To combat these challenges, Fiserv provides solutions that help merchants comply with PCI DSS requirements. Fiserv partnered with Source Defense to offer merchants a comprehensive platform that covers security, compliance, and performance optimization. The platform protects any transaction-oriented website that collects sensitive data. The platform covers three main areas:
- Detection: Safeguards sensitive payment and personal data by promptly identifying threats as soon as they are entered, and issues alerts for immediate action.
- Protection: Eliminates the need for constant monitoring and response by automatically blocking potential client-side security threats.
- Compliance: Generates alerts and reports which continuously manage data privacy compliance with customizable policies.
Merchants can also protect sensitive data via TransArmor P2PE validated solution, which is designed to secure and encrypt payment data. It reduces the risk associated with the loss of cardholder data, prevents the loss of brand equity and trust. TransArmor P2PE provides the maximum PCI Scope reduction reducing requirements by 90%.
Conclusion
PCI DSS 4.0 introduces the most significant changes to the PCI DSS standard in over a decade. Two new requirements, 6.4.3 and 11.6.1, must be implemented by March 2025 to ensure compliance with PCI DSS. Now is the opportune moment to adopt a solution that aligns with PCI requirements to monitor, inventory, and provide justification for Java Scripts. Additionally, merchants who utilize hosted web pages or iFrames may now fall within the scope of these requirements. By implementing the new PCI DSS 4.0 requirements, organizations can significantly mitigate security threats and safeguard sensitive payment data. Fiserv offers merchant solutions designed to address these new requirements and reduce PCI scope.
Contact us today to learn more about how Fiserv can help merchants adhere to new PCI DSS 4.0 guidelines and protect payment data.
Sources
1 Annual Payment Fraud Intelligence Report: 2023
2 (eset):research Threat Report H2 2023