Page 20 - gs250702
P. 20
Insights and Expertise
Demystifying ecommerce skimming:
What merchants need to know
Why the new PCI DSS requirements matter
PCI DSS v4.0.1 addresses e-skimming head-on with two
new mandates:
• 6.4.3: Merchants must maintain an inventory of
scripts on their payment pages and document why
each is necessary.
• 11.6.1: A tamper-detection mechanism must monitor
scripts weekly and alert the merchant to unauthorized
changes.
These requirements are sound, but implementation often
reveals confusion, especially when TPSPs are involved.
TPSPs: Who’s doing what?
Many merchants use ecommerce platforms or web hosting
By Chris Bucolo partners to manage key elements of their checkout page. But
this creates a common vulnerability: miscommunication.
Aperia Compliance, an IXOPAY company
This kind of thing happens all the time. For example, a
arlier this year, attackers quietly exploited a merchant is using an ecommerce shopping cart supported
payment processor’s API, injecting malicious by a third party. The merchant thinks the TPSP is
scripts into legitimate merchant checkout pages, responsible for patching it; the TPSP assumes it’s on the
E capturing customer credit card data before it merchant. No one patches it, and that’s all it takes for a
was successfully processed. This is just the latest evolution breach to happen. We see the e-skimming threat in a
in e-skimming, a threat many merchants still don’t fully similar light.
understand, even as new PCI DSS v4.0.1 requirements
attempt to address it. What merchants should be asking
For merchants, breaches like this can lead to significant To assess areas of responsibility and potential vulnerability,
financial losses, reputational damage and potential legal merchants should ask the following questions:
liabilities. For customers, it’s personal: unauthorized • Does my ecommerce set-up put those two new re-
transactions and identity theft. quirements in scope for me?
Scripts, hidden windows of vulnerability
Payment pages today rely on a complex web of scripts What is PCI DSS v4.0.1?
for analytics, marketing, form validation and payment
processing. These scripts interact with the consumer’s PCment pages. Requirement 6.4.3 mandates that mer-
browser, often pulling in content from multiple third- chants maintain an up-to-date inventory of all scrI
or even fourth-party sources. Every added script is a DSS v4.0.1 introduces two key requirements to com-
potential open window for attackers. bat e-skimming threats on merchant payipts on their
checkout pages and document the business need for
The guidance on PCI DSS v4.0.1 requirements 6.4.3 and each. Requirement 11.6.1 requires implementation of
11.6.1, has changed more than once in just a few months. a tamper-detection mechanism that monitors scripts
This has left many acquirers, merchants and their third- at least weekly and alerts the merchant to unauthor-
party service providers (TPSPs) wondering: do these new ized changes. These updates aim to close security
requirements apply to me? If so, who’s responsible for gaps caused by third- and fourth-party scripts, which
covering them, me or my TPSP? are often exploited by attackers. However, many
merchants remain unclear about responsibility—es-
The confusion is real, and the risk is growing. pecially when third-party service providers manage
parts of the checkout experience.rprises.
20
