by Source Defense

Retail business leaders deal with many risks that threaten their businesses’ economic stability and viability. And while physical security measures to protect against things like workplace violence, theft, and in-store fraud are commonplace, most CEOs would be astonished by the amount of material cyber risk that remains on their eCommerce platforms.

That’s right—material risk—the kind of risk that could cost you your customers, impact your company’s bottom line or its ability to continue operating. The security and privacy of your customers’ data is as important to your company’s future as the products you sell. To drive home just how important an issue this is, listen to what consumers say for themselves. Recent surveys show that 78% of consumers would shy away from a retailer if their data is breached.  

A data breach can have devastating consequences for a company that far exceeds the average $4 million price tag. Not only can it result in financial losses, but it can also lead to reputational damage and loss of customer trust. In the wake of a data breach, customers may question the security of their personal information and may be hesitant to do business with your company again. Data breaches – and increasingly, data leakage (sharing of information that is regulated by privacy mandates) can also lead to legal liabilities and regulatory fines.

The rise of data regulations, such as Europe’s General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA), makes it imperative for companies to demonstrate both data security and data privacy compliance through robust web security tools.

Protecting Data at the Point of Entry

You may be familiar with the notions of protecting data in transit (as it traverses your network) and protecting data at rest (as it sits in your data storage systems). So are cybercriminals. They know that those pathways for data theft are hardened – so they’ve moved to stealing data and the point of input – literally skimming it out of the forms on your eCommerce site. As a result, the material cyber risk to your company starts long before your customer data hits your databases. In fact, your business is liable for the security and privacy of customer data before you even have a chance to leverage it for business purposes. 

That’s right. While you have likely invested in firewalls, intrusion detection systems, and encryption, your first line of defense now actually needs to be at the point of input. One of your greatest vulnerabilities is the web browser that your customer (who may be sitting thousands of miles away from your headquarters or server farm) uses to interact with and make purchases on your web site. The code that you allow to run in every customer shopping session – much of which comes from a large number of 3rd parties integrated into your site – is the weakest point in your security posture. 

The most recent cybercrime studies back this up. According to the Visa Biannual Threats Report, nearly 75% of fraud and data breach cases involved e-commerce merchants. Digital skimming attacks targeting e-commerce platforms and third-party code integrations are common. 

“The targeting of eCommerce platforms and third-party code integrations are among the most common tactics utilized by threat actors conducting digital skimming attacks,” the report states. 

In May 2022, Visa’s Payment Fraud Disruption (PFD) identified a digital skimming campaign in which the threat actors exploited code integrations leveraged by the targeted merchants, such as marketing tools and tracking, that are enabled on the merchant checkout pages. In the incidents investigated by PFD, the third-party marketing tools and scripts were compromised by threat actors, and malicious JavaScript code was embedded into the otherwise legitimate code owned by the third party. The third-party code, which contained a malicious JavaScript skimmer, was then integrated into the merchant checkout page, enabling the threat actors to harvest payment account data entered into the forms on the checkout page.

Hey C-suite, Data Security & Privacy is Your Responsibility

There’s an old saying that leaders can delegate authority but not responsibility. That remains relevant and true in the digital supply chain. Companies can give their supply chain partners authority to operate on their websites, but responsibility for what that 3rd, 4th, and 5th-party code is doing ultimately rests with you.

Your eCommerce site presents a structural security risk that could mean the difference between business success and failure.

In the browser, client-side processes are almost always written in JavaScript, which introduces significant security vulnerabilities. Javascript is used by all of your 3rd party digital suppliers, including payment card processors, advertising networks, social sharing services, analytics, and more. What’s worse, it sits outside your security perimeter and is vulnerable to a wide range of attacks.

Source Defense Gives You Back Control

As a C-suite executive, you are responsible for everything your company achieves or fails to achieve. The ultimate responsibility for protecting your customer’s data and privacy rests on your shoulders. With digital skimming attacks on the rise, ensuring that your customer’s payment and personal information are protected should be a priority if you want to avoid the dangerous implications of a data breach. 

Source Defense forces 3rd party scripts to load within a virtual page isolated from the browser. This isolation allows 3rd parties to behave in a controlled environment, enabling Source Defense to permit or deny behavior based on best-in-class security protocols, data privacy policies, and standardized rules we have in place.

The virtual pages are an exact replica of the original pages, excluding what the 3rd parties are not supposed to see. We monitor all 3rd party script activities on the virtual pages. If the activity is within the premise of what they are allowed to do, we will transfer it from the virtual page to the original page. If not, we will keep their activity on the virtual pages isolated from the user and send a report to the eCommerce website owner, alerting them of the 3rd party scripts that violated their security policy.

Source Defense prevention solutions can protect your website from the growing threat of Digital skimming, Magecart, Formjacking, and other eCommerce cyberattacks:

  • Isolate scripts from the page
  • Evade harmful activities
  • Apply best practices 
  • Securely enhance websites
  • Keep benefiting from 3rd parties

For a free analysis of your eCommerce site, schedule a meeting with one of our experts today.

PCI DSS 4.0 makes client-side security a priority.

Source Defense delivers a solution for 6.4.3 and 11.6.1 without adding a burden to your security teams.