A Case Study in PCI DSS Compliance and eSkimming (Client-Side) Security

By Source Defense

The Oregon Zoo’s recent data breach, disclosed on August 22, 2024, is a stark reminder of the critical importance of robust cybersecurity measures in digital transactions. This incident, which potentially compromised the payment card details of over 117,000 visitors, highlights the ongoing challenges organizations face in complying with Payment Card Industry Data Security Standard (PCI DSS) requirements and protecting against sophisticated eSkimming (client-side) attacks.

The Breach and Its Implications

  • Timeframe: December 2023 to June 2024
  • Discovery: June 26, 2024
  • Affected Data: Names, card numbers, CVV codes, and expiration dates
  • Attack Vector: Compromised online ticketing system

The breach, traced to unauthorized activity within the zoo’s third-party vendor ticketing system, bears all of the hallmarks of a traditional eSkimming attack. This type of attack has become increasingly prevalent, as highlighted in the Coalfire Paper on holistic approaches to protecting credit card payment flows – as evidenced by repeated warnings from card associations like Visa and Verizon, and by the actions of the PCI Security Standards Council to include eSkimming controls in PCI DSS v.4.0 

PCI DSS v4.0 Compliance and the Breach

The timing of this breach is particularly significant given the approaching PCI DSS v4.0 deadline in March 2025. Two critical requirements in PCI DSS v4.0 are directly relevant to this incident:

  1. Requirement 6.4.3: Mandates comprehensive management of all payment page scripts invoked in consumer browsers, including inventory, authorization, integrity assurance, and written justification for each script’s business purpose. 
  2. Requirement 11.6.1: Mandates implementing a mechanism to detect and alert unauthorized modifications to HTTP headers and HTML content of payment pages as rendered in the customer’s browser, with checks performed at least weekly or more frequently based on risk analysis. 

The Role of eSkimming (Client-Side) Security

Credit card fraud has significantly shifted toward e-commerce since the EMV (Europay, Mastercard, and Visa) liability shift in October 2015, transferring responsibility for fraudulent transactions from card issuers to merchants who hadn’t upgraded to EMV-compliant systems. This trend highlights the critical importance of implementing robust eSkimming (client-side) security measures, particularly for organizations that handle sensitive financial data in online transactions. As cybercriminals adapt their tactics to target vulnerabilities in digital payment systems, businesses must prioritize comprehensive protection of their web applications and customer data entry points to mitigate the evolving risks in the e-commerce landscape.

Key points relevant to this breach that emphasize best practices in cybersecurity include:

  1. Holistic Approach: A comprehensive strategy to protect sensitive data, encompassing server- and client-side security, is needed.
  2. Real-Time Threat Detection: Real-time solutions that can detect and mitigate threats are essential, many of these eSkimming attacks are “slow and low” and take place over a protracted period of time simply because these types of solutions aren’t widely used. .
  3. Third-Party Script Management: There is a critical need to manage and control third-party scripts, likely the attack vectors in the Oregon Zoo breach.

Preventative Measures and Best Practices

To prevent similar incidents, organizations should consider the following:

  1. Implement eSkimming (Client-Side) Security Solutions: Adopt platforms that offer comprehensive visibility and control over client-side threats.
  2. Regular Security Assessments: Conduct frequent risk analyses and penetration testing of web applications.
  3. Third-Party Vendor Management: Implement strict controls and monitoring for third-party scripts and services.
  4. PCI DSS v4.0 Compliance: Prioritize meeting the new requirements, particularly 6.4.3 and 11.6.1, well ahead of the March 2025 deadline.

The Oregon Zoo breach underscores the critical importance of robust eSkimming (client-side) security measures in modern e-commerce. Organizations increasingly rely on third-party scripts and complex web applications, so they must adopt comprehensive security solutions to effectively protect against sophisticated attacks like eSkimming.

Source Defense offers a powerful solution to these challenges:

  1. Real-Time Protection: Source Defense’s technology provides real-time monitoring and protection against client-side attacks, allowing organizations to detect and mitigate threats as they occur.
  2. Third-Party Script Management: By offering granular control over third-party scripts, Source Defense helps organizations mitigate the risks associated with external code running on their websites.
  3. Compliance Support: Source Defense’s solutions align with PCI DSS requirements, particularly 6.4.3 and 11.6.1, helping organizations maintain compliance while enhancing their security posture.
  4. Behavioral Analysis: Leveraging advanced behavioral analysis, Source Defense can identify and block malicious activities that might evade traditional security measures.
  5. Reduced Operational Burden: By automating many aspects of client-side security, Source Defense helps organizations enhance their protection without significantly increasing their operational workload.

Implementing a solution like Source Defense can prevent all forms of client-side attacks. As cyber threats evolve, adopting such advanced, behavior-based web application defense solutions becomes not just a best practice but a necessity for organizations handling sensitive customer data.

PCI DSS 4.0 makes client-side security a priority.

Source Defense delivers a solution for 6.4.3 and 11.6.1 without adding a burden to your security teams.

Scroll