No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Compliance

New Card Payment Security Standards Are Coming. What Do They Mean for Your Business?

Enhanced requirements seek to limit exposure of users’ payment data — malicious or not

by Uriel Maimon
September 7, 2022
in Compliance, Cybersecurity
card payment standards

In March, the Payment Card Industry Security Standards Council published Payment Card Industry Data Security Standard (PCI DSS) Version 4.0 to address emerging threats and market changes. PCI DSS v4.0 is set to go into full effect in March 2025, replacing PCI DSS Version 3.2.1. Learn how this will impact your business.

Like its predecessor, PCI DSS v4.0 is centered on 12 requirements that ensure safe transactions at your point of payment (POP) or point of sale (POS) pages. These core requirements did not fundamentally change with the latest release. Instead, v4.0 adds flexibility to implementation, strengthens security standards and necessitates a continuous process to ensure compliance.

There are several enhancements and amendments that might seem simple in theory, but will require significant resources in practice. One such addition is Section 6.4.3. This part of the DCI PSS tightens requirements for payment scripts, setting new regulations for script inventory, script integrity and script authorization — a difficult and significant undertaking, if done manually.

Take a walk on the client side

Section 6.4.3 of PCI DSS v4.0 establishes the following requirements for all payment page scripts that are loaded and executed in the consumer’s browser.

  • A method implemented to confirm that each script is authorized.
  • A method implemented to assure the integrity of each script.
  • An up-to-date inventory of all scripts, maintained with written justification as to why each is necessary.

In essence, these requirements entail inventorying all code running on your payment pages, explaining the necessity of each and verifying that authorized code has not changed since determined safe. Manually achieving compliance will likely consume a lot of time, money and internal resources. Here’s why:

  • Lack of visibility at runtime: Because payment page scripts run on the client side, website owners lack visibility into their behavior at runtime, especially code that loads dynamically. Code modifications, including malicious code injections, can evade detection for weeks.
  • Frequent code changes: Third-party scripts are frequently updated and changed, sometimes without your immediate knowledge. So, even if client-side scripts pass an initial security review, modifications can introduce new risks. Over 50% of website owners report that their third-party scripts change at least four times a year.
  • Nth party vendors: Third-party code vendors may themselves obtain code from external libraries. This lengthens your software supply chain and increases your surface area of vulnerability. If an nth-party script down the line is vulnerable, it can put your entire supply chain at risk.
  • Insufficient security reviews: When it comes to software development, speed is often the name of the game. Developers may forgo a robust security review process if it slows down deployment. But even if an initial review is conducted, it does not cover future script modifications.

Business impact of PCI DSS v4.0

Under PCI DSS, brands are liable for any exposure of users’ payment data — malicious or otherwise.

Businesses that are not PCI compliant are at greater risk of a digital skimming, Magecart or supply chain attack. This can cause significant financial losses due to the time and resources spent on remediation, lawsuits and bad press. Furthermore, customers, partnering banks and payment processors may end their business with you after a breach.

In addition, PCI DSS can fine companies up to $500,000 per incident, depending on the size of the company and the scope of the violation. Receiving a noncompliance fine can damage customer trust and smear your brand reputation.

By maintaining compliance with PCI DSS 4.0, online businesses can avoid fines and reputation damage. This also instills trust in consumers that their payment data is safe on your site.

Legacy solutions are not enough

Traditional code-monitoring solutions can help you comply with PCI DSS v4.0, but most are not sufficient to actually detect and prevent all JavaScript attacks. There is an entire skimming as a service industry selling skimmer kits with malicious scripts that are able to evade traditional detection tools. Some examples:

  • Static code analysis or static application security testing (SAST) debugs source code before a program is run, but sophisticated hackers can develop malicious code that only loads in real environments and hides when code analysis is running.
  • External scanners analyze script behavior in an external sandbox to offer immediate visibility without having to deploy anything to your site. However, they only capture a moment-in-time snapshot and cannot detect code that loads dynamically in the browser.
  • Content security policy (CSP) lets you enforce a preset allow list of known domains from which inline scripts can be loaded and data transferred. Unfortunately, CSP is difficult to manage and bad actors can use trusted domains to bypass CSP.
  • Payment iframes allow a payment form hosted by a third party to be embedded within a brand’s webpage. iFrames are considered a secure method for achieving PCI DSS compliance, but sophisticated hackers can bypass iframe protection and skim credit card data.
  • Behavioral monitoring automates inventorying and baselines client-side script behavior to flag anomalous activity in every user session. Behavioral monitoring is the best way to detect malicious code, get visibility into your client-side supply chain and proactively identify potential privacy or PCI compliance issues.
  • JavaScript blocking restricts form field access for client-side JavaScript. It prevents this code from accessing sensitive data, enforcing data security and compliance without disabling the entire script. JavaScript blocking allows website owners to control script access, but it can’t identify which scripts should have access to which form fields.
This article was first published at PerimeterX.com. It is republished here with permission.

Tags: Cyber RiskPayment Card Industry Data Security Standard (PCI DSS)
Previous Post

As the Great CEO Resignation Continues, Does Your Board Have a Succession Plan in Place?

Next Post

Coalfire 4th Annual Penetration Test Report

Uriel Maimon

Uriel Maimon

Uriel Maimon is VP of emerging products at HUMAN, formerly PerimeterX. He is a specialist in requirement gathering, financial crime, information security, forensics and software design.

Related Posts

cisa website

What Can Your Organization Learn From the New CISA Strategic Plan?

by FTI Consulting
January 11, 2023

Cyber threats against organizations of all sizes are only rising as scammers and fraudsters become more and more sophisticated. Kyung...

data minimization practices_w

Ransomware Threats Are Growing. How Can Boards Protect Mission-Critical Assets?

by Jim DeLoach
December 14, 2022

As the sophistication level of cyber attackers continues to rise, there’s probably not a business on Earth that isn’t at...

dirty words

For Cybersecurity Teams, ‘Audit’ Doesn’t Have to Be a Dirty Word.

by Troy Fine
December 7, 2022

Let’s face it: Nobody wants to be audited. For the average Joe, an IRS audit is a hassle (at best)....

Third Party And Vendor Risk Management For Financial Institutions

Third Party And Vendor Risk Management For Financial Institutions

by Aarti Maharaj
November 10, 2022

The marcus evans Third Party & Vendor Risk Management for Financial Institutions conference taking place in London, UK on 1-3...

Next Post
Coalfire Penetration Risk Report_f

Coalfire 4th Annual Penetration Test Report

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT