SIMPLIFYING SECURITY AND PCI DSS v4 COMPLIANCE FOR ECOMMERCE WEBSITES
We provide a free solution to eCommerce merchants supporting PCI 6.4.3 and 11.6.1
ABOUT THE NEW PCI DSS v4.0 REQUIREMENTS FOR ECOMMERCE MERCHANTS
eCommerce skimming or “Magecart” attacks have become the most prevalent attack method used by criminals to steal payment card data. While some eCommerce platforms have been targeted more than others, all eCommerce companies are considered at risk.
To mitigate this risk, the PCI Security Standards Council released a new version of the PCI DSS (version 4.0), which contains 2 new requirements to detect and prevent eCommerce skimming attacks:
-
Requirement 6.4.3 - Payment Page Script Inventory and Integrity
-
Requirement 11.6.1 - HTTP Header Monitoring
REQUIREMENT 6.4.3
Payment Page Script Inventory and Integrity
This requirement is designed to ensure that all JavaScript on the payment pages of an eCommerce website are necessary, approved by the merchant and included in an actively maintained inventory.
Additionally, the merchant is required to ensure that the scripts have not been tampered with.
We support PCI 6.4.3 in all versions of ThreatView, including our free Community Edition.
REQUIREMENT 11.6.1
HTTP Header Monitoring.
This requires a tamper-detection mechanism for alerting unauthorized modifications to payment pages or HTTP headers.
We support PCI 11.6.1 in all versions of ThreatView, including our free Community Edition.
EXISTING AND CHALLENGING PCI DSS REQUIREMENTS FOR ECOMMERCE MERCHANTS
In addition to the newly introduced requirements above, there are a few other critically important requirements for eCommerce merchants:
REQUIREMENT 11.5.2
File Change Detection - the foundation for detecting and mitigating threats.
Also known in the industry as File Integrity Monitoring (FIM).
This requirement is designed to alert the merchant to unauthorized modification (including changes, additions, and deletions) of critical files within their website.
This capability is available through ThreatView Advanced - we track every change made to the site, with every change being checked for malicious/high risk content.
This gives website managers the ability to quickly identify malicious changes, roll them back, or remove introduced malware in seconds.
REQUIREMENT 10.2.1 - AVAILABLE SOON
Web Access and Error Log collection, correlation and analysis.
An important security control for detecting anomalies and in conducting rapid investigations in breach situations.
REQUIREMENT 10.5.1 - AVAILABLE SOON
Retain audit log history for at least 12 months, with at least the most recent three months immediately available for analysis.
FORENSIC EXPERIENCE AND PCI DSS
Through our experience gained over more than a decade of forensic investigations, it is clear that eCommerce merchants find it challenging to adhere to some of the more technically challenging PCI DSS requirements, especially the requirements outlined above.
However, by having these security controls in place, the eCommerce website will be significantly more adept at handling threats and preventing expensive and challenging data loss scenarios.
RISK AND COMPLIANCE WITH THREATVIEW
While the new requirements are mandatory after 31 March 2025, ThreatView Advanced is able to assist eCommerce merchants with an "out-of-the-box" solution that addresses the new requirements, the aforementioned more challenging requirements and provide the most comprehensive eCommerce threat detection - backed by our breach protection warranty - RIGHT NOW.
ThreatView combines extensive experience in digital forensics with advanced threat detection and mitigation capabilities to protect eCommerce websites AND simplify PCI DSS Compliance.
