Combatting E-Commerce Data Skimming With PCI Standard v4.0
By James Cullen, Senior Cybersecurity Consultant at SureCloud
Published on 30th November 2022
It’s been a relatively long time since the Payment Card Industry (PCI) Security Standards Council released its last update.
Why is this?
Well, it takes organizations a great deal of time, resources and money to implement change, which often leads to projects overrunning and IT teams becoming stretched. For this reason, many organizations will turn to PCI Compliance management services to stay on top of regulations.
However, the PCI recently announced the publication of version 4.0 of the PCI Data Security Standard (PCI DSS). PCI DSS is a global standard that provides a baseline of technical and operational requirements designed to protect account data. Version 4.0 replaces version 3.2.1. It responds directly to emerging threats and technologies in the card payment space.
The updated standard includes 64 new requirements, 14 of which are documentation and policy-type changes. It has been available since March 2022 and organizations can choose to comply and attest to it immediately.
Version 3.2.1 is still live, but businesses must…
- Make the required changes to achieve or maintain compliance by April 1st 2024
- Implement any new technology by April 1st 2025
April 2024 may seem a long time away. However, playing the waiting game isn’t the best course of action when implementing change.
Two key recommendations for PCI DSS v4.0
To make the transition from version 3.2.1 to PCI DSS v4.0 as smooth as possible, we’ve developed two key recommendations for your consideration.
1. Firstly, conduct a full assessment of your current scope. To implement the new changes effectively, we’d recommend reducing your scope in any way possible. Either look at adopting new payment methods or outsourcing certain processes to validated third parties. This way, you will only need to implement a selection of the new controls, which will save time, money, and resources.
2. Secondly, you could wait until you ‘have to’ implement these new controls to stay compliant, but we recommend you start the process as soon as possible. Give your team as much time as possible to avoid putting a strain on available resources and, more importantly, potentially avoiding fines for missing the PCI DSS deadline.
We’ve explored more of the PCI DSS v4.0 changes on our Where Are We Now blog, or head to PCI SSC’s list of v4.0 changes.
The threat landscape continues to evolve
In recent years, criminal behavior has become more sophisticated, and, as a result, many countries, especially the USA, are adopting EuroPay, Mastercard, and Visa (EMV) technology. Criminals are moving away from stealing card data from physical point of sale (POS) terminals and turning their attention to ‘skimming’ data from e-commerce sites.
RAM scraping attacks
Previously, attacks were predominantly made inside systems and databases, and the advice from experts was to stop storing card data. Following this was a rise in RAM scraping attacks – an intrusion of the random access memory of retail sales terminals to gather card details prior to encryption. Businesses could counter these by using 3D-Secure authentication to verify cardholder details via their bank. Both methods of attack worked for a time, but it was also becoming easier for cyber criminals to be detected.
Skimming card data through web browsers
Criminals favor web browser attacks because they only need to get access once. There’s no need for continued attempts to hack a physical terminal.
What are the main benefits of PCI DSS v4.0?
One of the main reasons for the new update is to combat the challenge of cyber criminals targeting users within their web browser. PCI DSS v4.0 gives a full spectrum of control to this issue including preventative, detective and corrective measures.
Requirement 11.6.1 follows 6.4.3, as it addresses the monitoring of the script while it’s running.
Remember – criminals aren’t just stealing your card details. They can access any personal details you’ve entered on the page.
2. Implement a Content Security Policy (CSP). This restricts the location where the payment page can be loaded and prevents unauthorized payment pages from appearing
To recap the benefits of PCI DSS v4.0, understanding what script you have running on your payment page is key. From there, you can reduce non-compliance risk, monitor changes, and prevent the loss of customer data.
If you require any further support or advice regarding PCI DSS v4.0, contact SureCloud’s team of experts to find out more here.