The payment page of one well-known e-commerce site recently visited by the author contained 16 third-party scripts, including some from companies that are well-known for siphoning personal information. There are security and privacy reasons to provide stronger safeguards from scripts that can be compromised by threat actors to steal payment information.
Effectively managing and overseeing the scripts that operate on websites, particularly those that gather personal data, is crucial. Data protection regulations like the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and the Health Insurance Portability and Accountability Act (HIPAA) have significant implications for the monitoring and governance of webpage scripts. A proactive approach may be a legal obligation as well as maintaining user trust.
Focusing on payment pages, the Payment Card Industry Data Security Standard (PCI DSS) is continuing to improve security, working along with partners and payment brands to keep up with new payment technology and emerging threats. This post will delve into two specific updates within PCI DSS v4.0: requirements 6.4.3 and 11.6.1. These are future dated requirements which will be considered Best Practice until March 2025 and mandatory thereafter.
Requirement 6.4.3: Minimizing Attack Surface on Payment Pages
Overview: This requirement focuses on ensuring that the Payment Page remains secure, particularly concerning the JavaScript components that are present.
Key Components: Managing JavaScript: Every piece of JavaScript present on the Payment Page needs to be closely monitored and managed. Any third-party scripts should be examined for security vulnerabilities.
Regular Audits: Periodic audits of the Payment Page should be conducted to identify and restrict any questionable scripts.
Benefits: By focusing on the proper management of JavaScript on the Payment Page, this requirement aims to reduce potential entry points for malicious actors. This way, the security of credit card data remains uncompromised.
2. Requirement 11.6.1: Detecting Tampering on Payment Pages
Overview: Requirement 11.6.1 ensures that any unauthorized changes or tampering to the Payment Page are quickly detected, and relevant stakeholders are promptly alerted.
Key Components: Continuous Monitoring: Implement mechanisms to continuously monitor the Payment Page for any unauthorized changes.
Alert Mechanisms: In the event of any suspicious or unauthorized changes, the system should automatically generate and send alerts to the security team.
Audit Logs: Maintain detailed logs of all changes made to the Payment Page. This ensures an auditable trail and helps in tracing any unauthorized access or changes.
Benefits: By proactively monitoring and alerting on changes to the Payment Page, organizations can quickly detect and respond to potential security breaches, ensuring the trustworthiness of their payment systems and the safety of customer data.
Conclusion
PCI DSS v4.0, through requirements like 6.4.3 and 11.6.1, stresses the importance of proactive and reactive measures in safeguarding cardholder data. The emphasis on both reducing vulnerabilities on the Payment Page and actively detecting unauthorized changes is a testament to the comprehensive approach that this standard advocates. It’s crucial for organizations to fully grasp and implement these requirements, not just for compliance but to build a culture of cybersecurity and retain the confidence of consumers.
How can your company implement these new requirements? Reach out to AccessIT Group and one of our experts will help you find the right solution.
By: Peter Thornton – Senior Security Consultant – CISSP | HCISPP | ISSMP | PMP | CISA | QSA
Contact us for more information about our cybersecurity solutions.