The Payment Card Industry Security Standards Council (PCI SSC), more commonly known as 'PCI', is a collection of major brands, including Visa, MasterCard and AmericanExpress, that issue payment cards.
The PCI SSC oversee the management and enforcement of the Payment Card Industry Data Security Standard (PCI DSS), which outlines security policies, procedures and guidelines that organisations who accept Payment Cards must adhere to.
Any organisation that stores, processes or transmits any Payment Card Data must be PCI DSS compliant to the appropriate level.
As a website operator that accepts payments online, even if you outsource the handling of payments to a Third-Party Service Provider such as Stripe or Square, you must comply with PCI DSS.
Depending on your own assessment of which PCI DSS requirements you must comply with, you will have a varying level of work to complete. For the latest version of PCI DSS, v4.0 released in March 2022, there are a universal set of requirements that will apply to all websites accepting payment online.
These requirements are specifically aimed at tackling the growing threat of Magecart and similar attacks which have cost organisations millions of dollars in fines from privacy regulators alone.
Achieving compliance with the latest PCI DSS v4.0 standard is required of all sites by March 31st 2025. The new standard outlines requirement 6.4.3 that requires "a method is implemented to confirm that each script is authorized" on Payment Pages, and Content Security Policy is both the obvious, and suggested, solution. We can also assist further with requirement 6.4.3 to ensure that "an inventory of all scripts is maintained" with our Script Watch product.
Further to this, requirement 11.6.1 states that a "change and tamper-detection mechanism is deployed" that is able to "alert personnel to unauthorized modification (including indicators of compromise, changes, additions, and deletions) to ... the contents of payment pages as received by the consumer browser". Again, our Script Watch product can provide change and tamper-detection with its ongoing monitoring of dependencies, and, our Threat Intelligence product will monitor for Indicators of Compromise, helping you comply with significant portions of requirement 11.6.1 easily.
To summarise, we have a selection of features and tools that will help you get started with CSP and work through to enforcing a policy on your payment pages, achieving compliance with the new PCI DSS v4.0 requirements, but please reach out to pci@report-uri.com if you need more information.
With our commitment to helping organisations defend against client-side attacks like Magecart, it was a logical step for us to join the PCI SSC as an Associate Participating Organisation to help drive the PCI DSS forwards.
As an Associate Participating Organisation, we have the ability to directly contribute to and influence draft standards and supporting materials to ensure the continued advancement of payment data security.
You can download our joint Press Release with the PCI SSC for more information.
We often find that creating a CSP is the first difficult step that organisations face. Having a complete list of all resource dependencies across your entire site like images, scripts or styles, from both 1st-party and 3rd-party locations, is tough to achieve.
The CSP Wizard was created to solve this problem, and in seven days or less, it can you give a complete list of all resources used across your entire site.
With the list of all resources you use on your site, and our easy to use tool, creating a viable Content Security Policy is easier than ever with just a few clicks.
All Content Security Policies will need to be tweaked at some point. New resources may be added to the site or old resources removed, and the policy needs to be updated to reflect those changes and kept up to date.
You can import your existing policy into the CSP Builder and use our fully featured tool to make any changes that you require right there in the UI. When you're done, hit Generate, and the CSP Builder will provide you with your new, updated policy.
Script Watch will monitor all JavaScript dependencies across your entire site and immediately notify you of any changes. A new JavaScript dependency could be the start of a Magecart attack.
Because Script Watch leverages the browser native Content Security Policy, there is no code or agent to deploy and running in the browser means we analyse your site in real-time as your users are browsing. We don't have the same limitations as external scanning services such as authentication or pay walls, geo-sensitive content or an attacker potentially serving safe content to the crawler.
Data Watch will monitor all of the locations that your webpages are sending data to. If your website starts sending data to a new location, it could be the start of a Magecart attack.
With Script Watch and Data Watch combined, you can monitor for clear indicators that your site has been compromised. Attackers will always want to inject their hostile JavaScript, and they'll always want to exfiltrate their stolen data.
Script Watch and Data Watch will allow you to rapidly detect and respond to a Magecart attack and combined, that capability puts you ahead of the field. If you want to take it a step further, Content Security Policy can mitigate a Magecart attack and stop it from even happening.
Deploying an effective Content Security Policy can be difficult, but our CSP Reporting allows you to gather feedback and safely test a policy before deployment. Once deployed, an effective Content Security Policy will block a Magecart attack and stop the hostile JavaScript from even running.
We subscribe to various feeds of Threat Intelligence data, along with managing our own internally generated feeds, to keep apprised of the latest threats that exist online.
Using this Threat Intelligence Data, we can better analyse the sources of JavaScript on your website and detect malicious activity sooner.