PCI DSS & Protecting The eCommerce Payment Ecosystem

Protecting the eCommerce Payment Ecosystem

eCommerce businesses are facing a rapidly growing threat, targeting their payment data. This has been documented in our ThreatScape Reports over the years - and the most telling number for us is the total number of hacked sites we detect each time we conduct a global scan for threats across our portfolio - this morning's result reported over 48,000 sites detected with malware.

2 months ago it had just passed 40,000.

What is driving this? 

Obviously SessionReaper is a major driver within the Magento/Adobe Commerce ecosystem, but we're also seeing increasing numbers in other platforms.  In other words, based on what we can see, it's not a single vulnerability that is driving the level of data compromise.

With the advancements of PCI DSS in other parts of the Payments ecosystem, such as Point-To-Point Encryption, the Software Security Framework and the overall maturity of the PCI DSS, criminals are finding it harder to target the traditional targets of banks, payment processors, hospitality, retail - so it seems that their efforts are focusing in on the eCommerce ecosystem.

This can be seen in the Foregenix forensic stats over the last decade.  A decade ago, nearly half the cases managed by the Foregenix global forensic team were eCommerce, nowadays, it's almost 100%.

Why?

The eCommerce ecosystem is a hugely vibrant, competitive space with a plethora of businesses servicing the industry.  Most of that effort and focus is on driving traffic, converting visitors into customers and, at the most basic level, driving profitability for the online business.

But, very few of the organisations in the eCommerce ecosystem have a solid cyber security understanding.  Some are excellent, many are doing the bare minimum and the rest are doing nothing to protect themselves.

And this makes the industry attractive to criminals.  It is relatively easy for them to operate.

While the PCI DSS has been a feature of life for the last 20 years, this sector has not been very successful in putting even the most basic protections in place, let alone meeting PCI Requirements.

And that's a significant part of the reason we have seen the number of hacked sites we detect growing from ~8,000/month in January 2024 to over 48,000 this month (November 2025).

What are the threats the industry is facing?

The eCommerce sector has seen an evolution of attack-types/methodologies over the last decade.  The most common threats nowadays include:  Digital skimmers (e-skimmers), Digital loaders and in rare situations, supply chain attacks.

With the evolution of cyber defences, we're seeing the cyber criminals changing and evolving their tactics too - and as PCI DSS controls for 6.4.3 and 11.6.1 gather pace, I expect we will see this evolution continue in their bid to evade detection. 

How does PCI DSS play into all of this?

It is simple really, every time an eCommerce site gets breached and fraud is detected, one of the card brands (typically Visa or Mastercard) will contact the merchant, via their processor, and request a forensic investigation or microAssessment.

The results of that microAssessment / forensic investigation are shared with the card brands,  who then collate the stats and gain an industry-level perspective on the threats - they then share this information (some degree) with the working groups at the PCI Security Standard Council to inform the debate and policy development.

The working groups then determine the most appropriate controls to put in place to defend against the threats, update the PCI DSS and notify the industry what they need to do to protect themselves (and be PCI DSS Compliant). 

This is the process that has led us to this point - where we have PCI DSS v 4.01 released and the supporting guidance for eCommerce merchants.

So, whats happening? Is the industry winning (and getting PCI Compliant)?

Well, that's debatable - from where we sit, the number of hacked sites is growing quickly.  It does not appear as though the industry is winning.  At the moment.

And, to confirm, none of the sites we have investigated through Turaco Labs, or through our partners Foregenix, in the last decade+ have been PCI Compliant.

However, based on what we have learnt through the years and other sectors in the payment card industry (retail, hospitality etc), as technology evolves and as the merchants become more security-aware, the better the industry does.

The eCommerce industry's time is coming.

On a positive note, awareness is growing and we're seeing action being taken in the industry to get more secure and approach this challenge from a risk management perspective.

Much of that awareness, discussion and traction is currently in relation to PCI Requirement 6.4.3 - Payment Page Script Monitoring.  While this has a lot to do with marketing budgets from the growing number of VC-backed competitors we have in this space - and the broader industry's hope that this will curb the current trajectory - it is positive news - and we believe that the effect on the industry will begin to take shape.

Will this fix the hacked-site problem?

No.

While the new controls (6.4.3 and 11.6.1) target script and HTTP Header monitoring to detect malicious digital skimmers and/or loader scripts, they do not address the core problem:

The website is compromised and cyber criminals have full access.

The simple fact is that there is no SILVER BULLET that the industry can deploy - at least not yet.

What is required is a solid approach to managing risk by locking down the website with best practice, building multiple layers of monitoring and protection in place to make it exceedingly difficult for a criminal to operate without detection in that target website.

Key steps that eCommerce Businesses can take to reduce risk and protect themselves are:

1. Securing Admin Access.

2. Multi-Factor Authentication.

3. Keeping software up-to-date.

4. Implementing Proactive Monitoring (at a minimum including):

• Malware detection - filesystem and database (PCI 5.2)
• Real-time Checkout Monitoring (PCI 6.4.3)
• File Integrity Monitoring - also known as FIM (PCI 11.5.2)
• Cardholder Data Scans (PCI 3)

5. Deploy a WAF.

We outline this approach in a bit more detail in another blog article here: https://www.turacolabs.com/blogs/essential-security-steps-for-ecommerce-website-protection

We are advocates of a security-first approach.  If done well, the site will be secure and PCI DSS Compliance will be one of the natural by-products.

How can we help?

Our ThreatView Advanced solution "bakes" the security monitoring and controls into a website to enable proactive monitoring.  It makes it easy to monitor your site for threats - and to take quick defensive action when a threat is detected.  (and, yes, it simplifies PCI DSS too)

We provide:

• File Change Monitoring - ThreatView monitors and tracks every file change made to the site (this will support your PCI DSS requirement 11.5.2)
• ‍Threat Monitoring - malware monitoring for the file system and database (PCI Req 5)
• ‍Checkout Monitoring - real-time script monitoring - an excellent layer of defence in detecting malicious activity.  And this also supports your PCI DSS 6.4.3 requirement.
• ‍Basic HTTP Header Monitoring - supporting PCI Req 11.6.1.
• ‍Payment Data Detection - identifying any unprotected payment data.  Typically either a config issue, or malicious.  This supports PCI Req 3.

If you don't have this level of security monitoring on your website, you can test drive ThreatView Advanced Edition by following this link.

We also HIGHLY recommend you work closely with your developer to get the additional controls in place - outlined above.

If you have any questions, please get in touch.

‍