SIMPLIFYING SECURITY AND PCI DSS v4 COMPLIANCE FOR ECOMMERCE WEBSITES
We take care of PCI Reqs 6.4.3, 11.6.1 AND 11.5.2 (and support 3 & 5) for eCommerce merchants
ABOUT THE NEW PCI DSS v4.0 REQUIREMENTS FOR ECOMMERCE MERCHANTS
eCommerce skimming or “Magecart” attacks have become the most prevalent attack method used by criminals to steal payment card data. While some eCommerce platforms have been targeted more than others, all eCommerce companies are considered at risk.
To mitigate this risk, the PCI Security Standards Council released a new version of the PCI DSS (version 4), which contains 2 new requirements to detect and prevent eCommerce skimming attacks:
-
Requirement 6.4.3 - Payment Page Script Inventory and Integrity
-
Requirement 11.6.1 - HTTP Header Monitoring
REQUIREMENT 6.4.3
Payment Page Script Inventory and Integrity
This requirement is designed to ensure that all JavaScript on the payment pages of an eCommerce website are necessary, approved by the merchant and included in an actively maintained inventory.
Additionally, the merchant is required to ensure that the scripts have not been tampered with.
We support PCI 6.4.3 in all versions of ThreatView, including our free Community Edition.
REQUIREMENT 11.6.1
HTTP Header Monitoring.
This requires a tamper-detection mechanism for alerting unauthorized modifications to payment pages or HTTP headers.
We support PCI 11.6.1 in all versions of ThreatView, including our free Community Edition.
EXISTING AND CHALLENGING PCI DSS REQUIREMENTS FOR ECOMMERCE MERCHANTS
In addition to the newly introduced requirements above, there are a few other critically important requirements for eCommerce merchants:
REQUIREMENT 11.5.2
File Change Detection - the foundation for detecting and mitigating threats.
Also known in the industry as File Integrity Monitoring (FIM).
This requirement is designed to alert the merchant to unauthorized modification (including changes, additions, and deletions) of critical files within their website.
ThreatView Advanced provides the only eCommerce FIM solution fully integrated with the industry's leading threat detection capability. ThreatView tracks every change made to the site, checking for malicious/high risk code.
File Change Monitoring is fundamental to ThreatView and a critical tool for rapid incident response.
This gives website managers the ability to quickly identify malicious changes, roll them back, or remove introduced malware in seconds.
ThreatView Advanced: eCommerce File Integrity Monitoring (FIM). PCI 11.5.2.
REQUIREMENT 5 - PROTECT SYSTEMS FROM MALWARE
ThreatView provides market-leading malware detection specifically for eCommerce websites.
With ThreatView Advanced Edition deployed an eCommerce site can meet the intent of the PCI DSS Requirement 5 to have an anti-malware solution monitoring the website filesystem and database.
REQUIREMENT 3 - PROTECT STORED ACCOUNT DATA
ThreatView supports PCI Requirement 3 by conducting regular scans for unprotected payment card data.
Unprotected payment card data can be an indication of a configuration/setting error, or potentially malicious activity within the website.
FORENSIC EXPERIENCE AND PCI DSS
Through our experience gained over more than a decade of forensic investigations, it is clear that eCommerce merchants find it challenging to adhere to some of the more technically challenging PCI DSS requirements, especially the requirements outlined above.
However, by having these security controls in place, the eCommerce website will be significantly more adept at handling threats and preventing expensive and challenging data loss scenarios.
RISK AND COMPLIANCE WITH THREATVIEW
While the new requirements are mandatory after 31 March 2025, ThreatView Advanced is able to assist eCommerce merchants with an "out-of-the-box" solution that addresses the new requirements, the aforementioned more challenging requirements and provide the most comprehensive eCommerce threat detection - backed by our breach protection warranty - RIGHT NOW.
ThreatView combines extensive experience in digital forensics with advanced threat detection and mitigation capabilities to protect eCommerce websites AND simplify PCI DSS Compliance.
