SIMPLIFYING SECURITY AND PCI DSS v4.0 COMPLIANCE FOR ECOMMERCE WEBSITES
The eCommerce sector is the most targeted sector by cyber criminals in the payment industry
ABOUT THE NEW PCI DSS v4.0 REQUIREMENTS FOR ECOMMERCE MERCHANTS
eCommerce skimming or “Magecart” attacks have become the most prevalent attack method used by criminals to steal payment card data. While some eCommerce platforms have been targeted more than others, all eCommerce companies are considered at risk.
To mitigate this risk, the PCI Security Standards Council released a new version of the PCI DSS (version 4.0), which contains 2 new requirements to detect and prevent eCommerce skimming attacks:
-
Requirement 6.4.3 - Payment Page Script Inventory and Integrity
-
Requirement 11.6.1 - HTTP Header Monitoring
REQUIREMENT 6.4.3
Payment Page Script Inventory and Integrity
This requirement is designed to ensure that all JavaScript on the payment pages of an eCommerce website are necessary, approved by the merchant and included in an actively maintained inventory.
Additionally, the merchant is required to ensure that the scripts have not been tampered with.
REQUIREMENT 11.6.1 - AVAILABLE SOON
HTTP Header Monitoring.
This requires a tamper-detection mechanism for alerting unauthorized modifications to payment pages or HTTP headers.
EXISTING AND CHALLENGING PCI DSS REQUIREMENTS FOR ECOMMERCE MERCHANTS
In addition to the newly introduced requirements above, there are a few other critically important requirements for eCommerce merchants:
REQUIREMENT 10.2.1 - AVAILABLE SOON
Web Access and Error Log collection, correlation and analysis.
An important security control for detecting anomalies and in conducting rapid investigations in breach situations.
REQUIREMENT 10.5.1 - AVAILABLE SOON
Retain audit log history for at least 12 months, with at least the most recent three months immediately available for analysis.
REQUIREMENT 11.5.2
File Change Detection
Also known in the industry as File Integrity Monitoring (FIM).
This requirement is designed to alert the merchant to unauthorized modification (including changes, additions, and deletions) of critical files within their website.
FORENSIC EXPERIENCE AND PCI DSS
Through our experience gained over more than a decade of forensic investigations, it is clear that eCommerce merchants find it challenging to adhere to some of the more technically challenging PCI DSS requirements, especially the requirements outlined above.
However, by having these security controls in place, the eCommerce website will be significantly more adept at handling threats and preventing expensive and challenging data loss scenarios.
ThreatView combines extensive experience in digital forensics with advanced threat detection and mitigation capabilities to protect eCommerce websites AND simplify PCI DSS Compliance.
SIMPLIFYING SECURITY AND PCI DSS v4.0 COMPLIANCE FOR ECOMMERCE WEBSITES
RISK AND COMPLIANCE WITH THREATVIEW
While the new requirements are mandatory after 31 March 2025, ThreatView Advanced is able to assist eCommerce merchants with an "out-of-the-box" solution that addresses the new requirements, the aforementioned more challenging requirements and provide the most comprehensive eCommerce threat detection - backed by our breach protection warranty - RIGHT NOW.
