The Silent Threat of Client-Side Attacks
As more transactions move online, a silent threat is lurking in the deepest, darkest shadows of websites, threatening to steal your sensitive data. This rapidly evolving threat, known as client-side attacks such as Magecart, formjacking, and online skimming, is capable of quietly acquiring a customer’s data and credit card information on websites that accept online payments. This is a stealthy risk, and it’s one that organizations should prioritize when considering defenses for their websites and web applications.
PCI DSS Changes: Aiming at Client-Side Attacks
Recent changes to PCI DSS were aimed at addressing client-side attacks, increasing the responsibility for businesses accepting or processing online payments. At the moment, the changes are considered best practices. Within two years, it will become mandatory to successfully pass an audit and maintain compliance.
Imperva Client-Side Protection: Bolstering Security and Compliance
In this blog post, we will provide a brief refresher on the changes to PCI DSS relating to script management on payment pages, as well as introduce new and upcoming features to Imperva Client-Side Protection. These new features will simplify the process of maintaining compliance with the latest PCI DSS requirements and help organizations bolster their security posture.
Understanding Client-Side Attacks and Their Ramifications
Before we examine the changes to PCI DSS, it’s important to understand how client-side attacks work. Client-side attacks exploit vulnerabilities in a website’s business logic by injecting malicious code through compromised JavaScript services. The malicious code is most commonly used to capture user data during online transactions, in attacks known as Magecart, formjacking, or online skimming. It is important to note that this attack, which exfiltrates sensitive data, is essentially a security breach occurring on the client-side.
Managing risks associated with client-side attacks, such as the infamous Magecart, is often a formidable challenge. The main reason is the prevalence of third-party services. Today, most websites use a variety of third-party services for functions such as analytics, advertisements, customer support, and more. While these services offer many benefits, they also introduce new vulnerabilities. Each third-party service is a potential entry point for attackers. The more services a website uses, the larger the attack surface becomes.
However, the real problem lies in the fact that these third-party services are often not visible to security teams because they usually don’t take part in the development cycle. This makes keeping an inventory of all the third-party services used in their applications a hard task for organizations, and thus they end up becoming a blind spot.
Given their ability to exploit vulnerabilities in a website’s software supply chain, client-side attacks are also highly scalable, adding yet another layer of complexity to this. A single compromise of a widely used JavaScript package allows an attacker to hit multiple users on multiple sites, just by exploiting the same vulnerability. Targeting a single, widely used package gives attackers access to thousands of sites around the world simultaneously.
The challenges we just mentioned make client-side attacks extremely difficult to detect. Their stealthy nature leads to these attacks often going uncovered for long periods, resulting in large-scale data breaches. In turn, this leads to reputational damage and severe financial implications for the impacted organization. Therefore, PCI DSS recently acknowledged the risk of client-side attacks and added a new section directly related to script management.
Breaking Down PCI 6.4.3
As detailed in our previous blog post on this topic, PCI DSS requirement 6.4.3 focuses on the management of scripts that are loaded and executed in the consumer’s browser. It is comprised of three main components:
- Maintain an inventory of all scripts with written justification as to why each is necessary.
- Implement a method to confirm that each script is authorized.
- Implement a method to assure the integrity of each script.
By addressing these components, organizations can safeguard their web applications against client-side attacks and maintain compliance with PCI DSS 4.0.
While the aforementioned changes are regarded as best practices until March 31, 2025, the growing popularity of this threat makes script management solutions paramount to fortifying your security posture. By taking a proactive approach, organizations can protect customers’ sensitive information and avoid the risks and implications of a data breach, including the risk of non-compliance with data privacy regulations such as GDPR, CCPA, LGPD, etc.
Imperva Client-Side Protection: Streamlining Compliance with PCI DSS 4.0
We are pleased to announce the introduction of enhanced functionalities within Imperva Client-Side Protection (CSP), aimed at assisting organizations in effectively addressing the latest prerequisites in script management on online payment pages. These enhancements serve to significantly streamline the compliance maintenance process, empowering businesses to meet regulatory standards. These functionalities can help customers do the following:
- Provide visibility into third-party scripts through continuous discovery and monitoring. This ensures customers can maintain an inventory of all scripts, as well as provide them with the ability to approve and block any of them.
- Understand which scripts are running on their critical paths where sensitive customer data is entered.
- Provide visibility when scripts change. This helps an organization decide whether they need to revalidate a script’s content and if it should continue executing on their website.
- Provide visibility into scripts brought in through the software supply chain. This helps them validate if any inherited scripts that have access to their web applications are maliciously skimming data.
- Get a clear understanding of script behavior. The new AI Explain feature offers a faster way for customers to understand what each script is doing without having to read the script code.
- Authorize specific scripts that the organization wants running on its website(s).
Upcoming features:
- Visibility into first-party scripts and inline scripts that are part of the client-side. This will provide customers with visibility into which scripts are exfiltrating data to external sources.
- Visibility into the client-side call chain, helping customers understand if their first and third-party scripts are calling on other scripts. This will mitigate the risk of a Magecart attack caused due to a compromised script in the software supply chain.
These new capabilities enable customers using Imperva Client-Side Protection to effectively address each component of requirement 6.4.3, making compliance easier to manage. This is achieved by providing a comprehensive script inventory, authorization, dynamic integrity verification, and real-time monitoring for all code on payment pages.
About Imperva Client-Side Protection
Imperva Client-Side Protection prevents data theft from client-side attacks like formjacking, Magecart, and other online skimming techniques that often exploit vulnerabilities in the website supply chain. It mitigates the risk of your customers’ most sensitive data landing in the hands of bad actors, resulting in devastating, costly data breaches. By providing clear visibility with actionable insights and easy controls, it empowers your security team to effortlessly determine the nature of each service and block any unapproved ones. Client-Side Protection enables your organization to meet the latest compliance standards, including those set in the latest version of PCI DSS.
Try Imperva for Free
Protect your business for 30 days on Imperva.