The tension between merchants and cybersecurity experts is a longstanding one in the realm of digital payment regulations. While security professionals advocate for more rigorous standards, many merchants—particularly smaller businesses—argue that such measures are financially burdensome. Although the two sides typically reach a middle ground, the path to compromise is often marked by significant friction, sometimes extending well into the rollout phase.
Such has been the case with the introduction of the Payment Card Industry Data Security Standard, which has been in effect since April 1. Now at version 4.0.1, PCI DSS includes a series of updates designed to strengthen payment card security. Among them are adjusted, yet still rigorous, requirements for merchants to secure the scripts running on their websites and bolster browser security.
The threat of malicious scripts on e-commerce platforms is very real. In 2024, hackers leveraging ‘Magecart’ attacks reached unprecedented levels of sophistication, using stealthy techniques to evade detection and deploying tailored malware to targeted sites, according to cybersecurity company Recorded Future.
To combat these evolving threats, the updated standard mandates that merchants validate the integrity of all scripts, maintain a clear inventory, and provide justification for each one’s presence on their payment pages.
The changes sparked considerable backlash. Large merchants often operate with thousands of scripts running simultaneously, while many smaller businesses rely heavily on third-party software loaded with pre-configured scripts—leaving them with little to no insight into what these scripts do or why they’re there.
Another newly introduced requirement called for merchants to monitor and respond to unauthorized changes on payment pages, including alterations to security-relevant HTTP headers and script content. Given that modern websites are dynamically built using content from multiple sources, the PCI Council noted that the only effective way to identify malicious activity is through browser-level monitoring.
In light of industry concerns, the PCI Council revised the guidelines on January 30, easing the original requirements. Merchants are now exempt from the script verification and web page security provisions—provided they can “confirm their site is not susceptible to attacks from scripts that could affect the merchant’s e-commerce system(s).”
On February 28, the council sought to provide additional clarity, stating that merchants could employ specialized tools aimed at safeguarding payment pages from malicious scripts.
Alternatively, merchants who redirect or outsource payment processing—commonly referred to as ‘SAQ A’ merchants—may rely on their service providers to attest that their systems adequately protect the merchant’s payment pages against script-based attacks.
Despite these clarifications, several compliance professionals expressed frustration with both the substance and timing of the changes. As one user candidly remarked on Reddit last month, ‘They have to be kidding me. “This is a second SAQ A change within a month, and 30 days before coming into effect. Are they mental? I have clients that have implemented controls to be compliant, this has cost money.”
Just weeks before the new requirements were set to be enforced, another commenter voiced frustration, saying, “it’s insanity that we still don’t have clarity.”
Debate continues around the recent changes and how they should be applied in real-world scenarios. Practitioners have raised several concerns—chief among them, how third-party providers are expected to ensure users remain immune to malicious scripts, and whether any will be willing to assume that level of liability.
While such assurances might seem acceptable within compliance circles, the broader information security community has expressed scepticism. ‘The infosec world was scratching their heads, asking, “the infosec world was sort of scratching their head a bit and saying, ‘Wait, not susceptible? It’s very difficult to prove anything has zero susceptibility,”‘ said Adam Bush, a director at audit and assessment firm Schellman. Bush also chairs the PCI SSC Global Executive Assessor Roundtable, a key forum for communication between senior leaders in payment security assessment and the PCI SSC itself.
Protecting end-users through browser-based measures is a complex and often ineffective strategy, according to Sansec, a firm specializing in e-commerce malware and vulnerability detection. Sansec, which offers a free content security policy (CSP) monitoring tool to aid with compliance, cautions against overreliance on client-side defenses.
“In our experience, browser-based security is next to useless,” the company noted in a blog post. “Our forensic investigations of thousands of digital skimming incidents since 2015 show that 99% originate from compromised servers, which can readily bypass client-side protections.” The firm emphasizes that the most effective defense for online merchants is to secure their servers.
Despite the challenges, combating digital skimming remains a critical concern—one that the PCI Council is actively working to address more effectively, said Adam Bush.
Bush said, “If I were to put on my Nostradamus hat and predict what’s going to happen going forward, these conversations are going to continue, because the threat landscape that exists now is so heavily e-commerce centric and it’s difficult to refute this is where the attack vectors and threats lie right now.”
Source Link: https://www.bankinfosecurity.com/digital-skimming-attacks-challenge-latest-pci-dss-version-a-28005
