Addressing Client-Side Risks in PCI DSS 4.0
It seems like such a short time ago that the Security Standards Council released the newest version of the Payment Card Industry Data Security Standard (PCI DSS). It has been a full year, and version 4.0 is now in effect. Industries that adhere to the Standard were given the year to implement the new changes. The Standard includes limited exceptions for specific requirements, classifying them as best practices until March 31, 2025; however, similar to how rapidly this new Standard became effective, 2025 is not that far away.
Two Requirements of particular interest in the Fortra product line are:
- 6.4.3.a – Examine policies and procedures to verify that processes are defined for managing all payment page scripts that are loaded and executed in the consumer’s browser in accordance with all elements specified in this requirement.
- 11.6.1 – A change- and tamper-detection mechanism is deployed as follows:
- To alert personnel to unauthorized modification (including indicators of compromise, changes, additions, and deletions) to the HTTP headers and the contents of payment pages as received by the consumer browser.
- The mechanism is configured to evaluate the received HTTP header and payment page.
Most notably, in these two sections, the new requirement focuses on client-side attacks. It could be surmised that this is because the browsers these days are so powerful, that they are basically an operating system unto themselves. There are a lot of processes that happen in the browser to deliver a webpage to an end user. Almost all major websites rely on third party, first party or inline scripts to deliver some or all of their content. So, part of what the new requirement is seeking to do is to reduce any superfluous scripting, reduce the web app attack surface, and validate the integrity of scripts that are executed.
Of course, monitoring has always been a cornerstone of security, and every version of PCI DSS has stressed its importance as well. In the new version of the Standard, it increases the monitoring to include alerts and mechanisms for HTTP artefacts, adding controls to the client side rather while previous requirements focused on server side security.
The Fortra Web Application Firewall (WAF) goes beyond just monitoring by including mechanisms that prevent tampered, unknown, or unauthorized scripts from running. This approach exceeds PCI requirements and goes beyond other WAFs, which only alert when significant changes to script behavior are observed. This can prevent the execution of malicious scripts intended to steal end-users payment card data, including web skimming attacks like Magecart. Fortra Managed WAF provides automated compliance and a superior security outcome.
Of course, the Fortra WAF offers customized control of the process, giving you the option to investigate the necessity of a script before it takes any action that might disrupt your payment processing capabilities.
Some of the specific ways that the Fortra WAF helps your organization with PCI DSS compliance include:
- Enhanced client-side protection controls, eliminating both reflected and inline (stored) cross-site scripting (XSS) attacks. Since inline attacks are where most XSS attacks occur, our prevention technology drastically reduces this risk.
- Identification of all inline, first- and third-party scripts. This gives app owners a clear understanding of their attack surface scope, including authorization and enforcement controls utilizing content security policies and inline response re-writing and integrity checks to execute only authorized, unmodified content.
- Working with our managed SOC when developing new inline active content so WAF can be configured to execute only authorized scripts.
The automated controls and additional protections of the Fortra WAF eliminate compliance complexity and reduce tool sprawl. What truly differentiates the Fortra offering is its focus on more than just the inventory component, understanding and reducing the attack surface, with a level of enforcement for unauthorized scripts. We believe enforcement of approved script executions is essential to achieving the spirit of PCI DSS regulations, which is to protect payment card data that can be stolen in an instance by a malicious script and cannot be retrieved once compromised.
The Security Standards Council was wise to make compliance with Requirements 6.4.3.a, and 11.6.1 a best practice, as it provides ample time for organizations to fully test the environment prior to full implementation, and prior to it becoming mandatory. With the Fortra WAF, your organization can show the frequency of your monitoring and corrective efforts.
The new version of PCI DSS is in effect, and Fortra has been sharing insights about it since its initial release. If you are new in your DSS compliance journey, or if you are updating your existing environment to adhere to the new Standard, let us be your trusted partner to help you achieve the best results.
To learn more about how we can help you with PCI DSS compliance, contact us here.