WP Client-Side Protection | PCI 4.0 Compliance | Imperva

Home > Application Security > Client-Side Protection 

Client-Side Protection

Protect against data theft and malicious JavaScript. Designed to meet the needs of businesses aiming to comply with PCI DSS 4.0 standards while defending against client-side attacks and ensuring the security of sensitive customer data.

Secure your client-side and streamline compliance for PCI DSS 4.0

A typical website runs over 30 JavaScript services, creating a blind spot for organizations. Attackers exploit this to inject malicious code and exfiltrate sensitive data in attacks such as Magecart, leading to long-term, devastating data breaches.

Gain visibility and control

Real-time discovery and monitoring of all client-side resources and scripts behavior ensures complete visibility. Gain control over all first- and third-party JavaScript code embedded on your website.

Reduce risk

Actionable insights make it easy to identify risky resources, headers, and scripts. Continuous monitoring alerts the security team to any new services. And if any JavaScript code is compromised, your security team is the first to know.

Streamline regulatory compliance

Comprehensive inventorying, authorization, dynamic integrity verification, and real-time monitoring streamline regulatory compliance with the new client-side security requirements introduced in PCI DSS 4.0.

How Imperva Client-Side Protection works

Discovery

Continuous discovery of existing and newly added services on your site, providing comprehensive visibility into client-side resources and JavaScript and real-time alerts for newly discovered services. It monitors script changes and identifies and flags any services doing data transfers. Flexible alerting options are available through emails, APIs, or SIEM.

Insights

Actionable insights enable security teams to assess each service swiftly. A domain risk score provides a credibility rating to simplify the assessment of each service, identifying compromised code and obfuscated scripts that may hide malicious activity. AI Explain leverages artificial intelligence to clarify each script’s actions, reducing the time and effort needed by security practitioners.

Enforcement

Easy enforcement options give security teams full control over the client-side. Security teams can block or authorize services using a negative or positive security model with one click. A zero-trust approach blocks new services or changes until they are reviewed and authorized. Instant Blocking handles known malicious services out-of-the-box, while Advanced Enforcement offers granular configurations.

PCI 4.0 compliance

The PCI Dashboard addresses PCI DSS 4.0 client-side security requirements by clearly explaining each requirement and identifying related action items. It validates content security policy headers, offers weekly summaries for payment page changes, and helps you stay audit-ready while monitoring compliance-affecting changes easily.

One-click deployment

By leveraging the Imperva Cloud Application Security solution, Client-Side Protection deployment is safe and straightforward, with a fast detection process that starts within minutes. This extra layer of security provides numerous benefits to websites without causing additional latency or requiring any code changes. Most importantly, it will not disrupt the functioning of your website.

Client-Side Protection

As web applications rely more on client-side logic and third-party code, client-side attacks are on the rise. These attacks can steal sensitive customer data, leading to breaches and noncompliance with data privacy regulations. PCI DSS 4.0 addresses this threat with new client-side security requirements. Imperva Client-Side Protection offers comprehensive visibility, actionable insights, and easy controls, enabling security teams to effortlessly manage client-side resources and JavaScript while streamlining compliance with PCI DSS 4.0 requirements 6.4.3 and 11.6.1.

Client-side security is an essential component of modern application security

Modern web applications rely heavily on numerous client-side resources, creating a security blindspot that can lead to data breaches and increased risk of noncompliance with data privacy regulations. Ensure your security team has full visibility and control.

Eliminate the blindspot

99% of websites today use JavaScript services. These are often added without proper vetting and authorization by security, resulting in a blind spot for the business.

Prevent Magecart attacks

Digital skimming attacks like Magecart involve injecting malicious JavaScript into first-party code or the code of third-party services. These can result in long-term, devastating data breaches.

Comply with PCI DSS 4.0

PCI DSS 4.0 introduced 2 new requirements for client-side security: 6.4.3 and 11.6.1. These necessitate securing payment pages from malicious scripts and unauthorized modification or tampering.

Client-Side Protection FAQs

  • How do client-side attacks like Magecart work?

    These attacks inject malicious JavaScript into first-party or third-party code used on legitimate websites. Just a single line of malicious code, like a JavaScript sniffer, is enough. Since this JavaScript runs on the client-side, it allows attackers to collect sensitive personal information directly from the browser whenever a customer enters their data into an online form.

  • How does Client-Side Protection work?

    Imperva Client-Side Protection utilizes HTTP Content Security Policy response headers, which are widely supported by modern browsers. In addition to HTTP Content Security Policy response headers, Client-Side Protection uses an additional mechanism to provide a powerful tool for managing your client-side applications and more granular control over your service dependencies. Instant Block uses JavaScript service worker technology, acting as a proxy between web browsers and web servers.

  • Is Imperva Client-Side Protection PCI compliant?

    Yes, the Imperva Application Security platform and its infrastructure are PCI compliant. Client-Side Protection is specifically designed to help organizations meet requirements 6.4.3 and 11.6.1 in PCI DSS 4.0, the latest data security standard version. Complying with these requirements becomes mandatory in April 2025.

  • How does out-of-the-box blocking work?

    Client-Side Protection automatically blocks known malicious domains based on data from the Imperva Threat Research Team. This includes domains identified as high-risk for Magecart, Malware, or other malicious activities, ensuring immediate protection without additional configuration.

  • I already have a WAF/RASP. Can’t it block these attacks?

    No. While WAF and RASP are key parts of your security strategy, they only impact requests made to your server. Malicious code is added directly to the browser, so it does not interact with it.

  • Why can’t I create a Content Security Policy by myself?

    It is crucial to consider that missing any domain could pose a high risk to your website. To mitigate this risk, you should compile a detailed inventory of all the services utilized on your site. Subsequently, you must devise a comprehensive policy encompassing all these services and ensure continuous maintenance as the marketing and development teams update the website. This process may be challenging and time-consuming. Learn more.

  • Will this break my website?

    Client-Side Protection won’t break your website, nor will it add any latency. Because it is part of the Imperva Application Security Platform, all it takes to get started is a single click to deploy Client-Side Protection. Furthermore, Client-Side protection will first operate in Discovery mode.

  • Will this block my legitimate users?

    No. Blocking a Javascript domain using CSP will only block that specific domain from requesting your website. Your customers will still be able to use your website as usual.