By Source Defense

The increase in eSkimming attacks targeting customer data leave no room for neglecting security precautions during website redesign projects. Securing your customers’ data at the point of entry (as it is being entered into the forms on your site) should be considered foundational when planning and executing any website redesign.

As websites become more complex and dynamic, eSkimming attacks (also known as client-side attacks, digital skimming, Magecart, etc.)  have emerged as a significant threat to the security of customer data. eSkimming attacks targeting customer data entered into payment forms on eCommerce checkout pages increased by 174% in the last half of 2022, according to Visa’s Spring 2023 Biannual Threats Report. The report also noted that nearly 75% of fraud and data breach cases involve these client-side attacks which exploit the website supply chain partners that help you make your site experience so good for your customers. 

Modern websites leverage dozens of 3rd and 4th party digital supply chain partners that are beyond the reach of corporate security and compliance teams. Every day, that digital partner ecosystem puts your organization at risk of data leakage and theft. 

It only takes one 3rd party partner collecting data it shouldn’t or one compromised rogue script to enable cybercriminals to steal your customers’ personal and financial data, destroying your organization’s reputation and threatening its very existence.

The proliferation of JavaScript-based web applications has made these eSkimming attacks even more common, with attackers taking advantage of vulnerabilities in scripts and libraries to launch attacks. The consequences of these client-side attacks can be severe, from data theft and loss of user trust to legal consequences and damage to a company’s reputation. As such, it’s critical for developers and designers to understand the risks of client-side attacks and take steps to prevent them in their projects.

Benefits of Client-Side Security Best Practices

Building security into your website redesign project helps build trust with your customers and establishes your website as a safe and reliable platform. Additionally, a secure website can improve your SEO rankings, leading to increased traffic and sales. With these benefits in mind, investing in a secure website is a wise choice for any online business looking to improve its digital presence.

Website overhauls may help you capture more of your target market. But they can also introduce massive risks to customer data at the point of entry — one of the major blindspots in security that retailers must tackle immediately. To capture that customer data, the average website uses dozens of 3rd party tools. These 3rd party tools are the mechanism by which cybercriminals intercept and steal customer data.

There are different types of attacks aimed at eCommerce websites:

  • Payment card skimming (eSkimming) 
  • Keylogging
  • Form field manipulation
  • Web injection
  • Phishing
  • Content defacement
  • Clickjacking
  • Malware and ransomware distribution
  • Watering hole attacks

eSkimming attacks can be wide-ranging and affect millions of people at once, or they can be highly targeted. This is also one of the reasons it’s so difficult to detect them.

That’s why the latest PCI Security Council standard calls for doing something about using JavaScript across commerce-oriented pages. PCI DSS v4.0 section 6.4.3 states explicitly in its guidance that payment page scripts that are loaded and executed in the consumer’s browser must be managed as follows:

  1. A method is implemented to confirm that each script is authorized.
  2. An inventory of all scripts is maintained with written justification for why each is necessary.
  3. A method is implemented to assure the integrity of each script.

PCI DSS 11.6.1

PCI section 11.6.1 states that change- and tamper-detection systems should:

  • Be deployed on payment pages to alert personnel to unauthorized modification
  • Evaluate the received HTTP header on the payment page
  • Meet these requirements every seven days or periodically

This means you must be alerted when a change has been made to a script operating on your website. Having the technology and resources to get these timely alerts is vital. While PCI is giving you leeway as to how much time you’re allotted to detect and respond to alerts, the question you need to ask yourself is, how much time can you afford to wait before you respond?

Defend Your Digital Enterprise

The best approach to defeating client-side attacks and eliminating client-side risk is by taking a proactive approach and deploying technologies that can stop the attacks before they inflict damage on your business or your visitors. By managing the code running on your web pages and within your visitors’ web browsers, a client-side security platform enables real-time control over what client-side code can and cannot do, stopping even novel and inventive attacks before they can exfiltrate data.

The Source Defense client-side security platform was designed from the ground up to provide not only ironclad security but also burden-free deployment and ongoing use. Source Defense deploys with just two lines of code and is easily added via most popular tag managers. Maintenance and monitoring require only a few hours per month, ensuring that solving a new problem doesn’t stress already over-taxed security teams.Request a Demo to learn more about how Source Defense can help you mitigate a material risk to your organization, keep your partners from overreaching and defend your enterprise from eSkimming.

PCI DSS 4.0 makes client-side security a priority.

Source Defense delivers a solution for 6.4.3 and 11.6.1 without adding a burden to your security teams.