Card Not Present Fraud
,
Fraud Management & Cybercrime
,
PCI Standards
Last-Minute PCI DSS 4.0 Changes Highlight Challenge of Battling Malicious Scripts
Merchants versus security mavens is a story as old as the standard governing digital payments. Security devotees push for stricter standards. Merchants, especially smaller ones, say stricter standards are unaffordable. Usually the two sides work out a compromise, but not before plenty of drama that can continue well into the implementation phase.
See Also: Panel Discussion | Smartest Path to PCI DSS v4.0 on AWS
So it’s been with the rollout of the Payment Card Industry’s Data Security Standard in force since April 1. PCI DSS – now at version 4.0.1 – introduces a raft of refinements aimed at locking down payment card security, but modified hardline requirements for merchants to vouchsafe the scripts running on their websites and browser security.
Malicious scripts loaded into e-commerce pages are a legitimate problem. The data skimming hackers who perform “Magecart” attacks reached new heights of sophistication during 2024, craftily deploying scripts to avoid detection or deliver bespoke malware to e-commerce websites, found cybersecurity firm Recorded Future.
The latest specification tries to get ahead of that, initially by requiring merchants to verify the integrity of all scripts, ensuring they’re authorized and inventorying and justifying all scripts in use.
Uproar ensued. Large merchants might run thousands of scripts running at a time. Many smaller merchants use script-laden third-party software entirely out of the box and have no visibility into what those scripts are doing or why.
Another new requirement required monitoring for and responding to unauthorized payment page changes, including “to the security-impacting HTTP headers and the script contents of payment pages.” Given how modern web pages are assembled on the fly from numerous sources, the only way to detect malicious activity is in the browser itself, PCI said.
In response, the PCI Council on Jan. 30 modified the requirements, removing the script verification and web page security requirements – provided the merchant can “confirm their site is not susceptible to attacks from scripts that could affect the merchant’s e-commerce system(s).”
The council on Feb. 28 attempted to further clarify what it meant, by stating that merchants can use tools designed to protect payment pages from malicious scripts.
Alternately, it says sellers who redirect or outsource payment handling – so called “SAQ A” merchants – can rely on the provider to assert that its approach will “protect the merchant’s payment page from script attacks.”
Multiple compliance professionals also voiced displeasure over the changes, including their timing. “They have to be kidding me,” one posted last month to Reddit. “This is a second SAQ A change within a month, and 30 days before coming into effect. Are they mental? I have clients that have implemented controls to be compliant, this has cost money.”
Weeks before the new rules were set to take effect, “it’s insanity that we still don’t have clarity” another posted.
An ongoing discussion continues over the changes and how they’re meant to work in practice. Many practitioners have questions, including how third-party service providers are meant to guarantee users will not be susceptible to malicious scripts, and whether any will choose to accept this liability. Also while in the compliance world perhaps such attestations sounded fine, “the infosec world was sort of scratching their head a bit and saying, ‘Wait, not susceptible? It’s very difficult to prove anything has zero susceptibility,'” said Adam Bush, a director at audit and assessment firm Schellman. Bush serves as the company’s chair for the PCI SSC Global Executive Assessor Roundtable, which functions as a direct channel for communication between senior leadership of payment security assessors and PCI SSC senior leadership.
Attempting to safeguard clients’ browsers is also a challenging approach, said e-commerce malware and vulnerability detection firm Sansec, which provides a free content security policy monitoring tool for compliance purposes.
“In our experience, browser-based security is next to useless,” the firm said in a blog post. “Our forensic investigations of thousands of digital skimming incidents since 2015 show that 99% originate from compromised servers, which can readily bypass client-side protections.” The best way to protect your store “is to protect your servers,” it said.
Repelling digital skimming attacks clearly remains a difficult problem to solve, albeit one that the PCI Council remains keen to better address, said Bush.
“If I were to put on my Nostradamus hat and predict what’s going to happen going forward, these conversations are going to continue, because the threat landscape that exists now is so heavily e-commerce centric and it’s difficult to refute this is where the attack vectors and threats lie right now,” Bush said.