Challenging Client-Side Security Protection as a "Silver Bullet"
- Benjamin Hosack
- May 8
- 3 min read
Silver Bullet or Simply Part of a Multi-Layered Defence?
With the new PCI DSS Requirement 6.4.3 for eCommerce sites, much is being said around client-side security solutions to meet the PCI DSS Requirements and to combat digital skimming attacks. However, despite the hype, they fall short of being the industry's "silver bullet".

Understanding Client-Side Security
Client-side security solutions monitor your website's front-end code as it runs in your customer's browsers. These tools use JavaScript sandboxing and behavior analysis to identify and block potentially malicious code. Well marketed solutions include offerings from Human Security, SourceDefense, JScrambler and Reflectiz.
Addressing the Symptoms Rather Than Root Causes
When malicious code appears on your website, it indicates your infrastructure has already been compromised. While client-side protection might neutralize some malicious frontend code, it doesn't prevent attackers from infiltrating your system initially. Once attackers gain server access, they control:
Your entire customer and order database
All server-side code and business logic
Access paths to internal systems and networks
The ability to modify any code or content
Effective security should focus on preventing and/or detecting unauthorized access to your systems, not just limiting potential damage after a breach occurs.
The Fundamental Issue
While Client-side security tools make sense as a layer within a multi-layered defence, they should not to be treated as a standalone Silver Bullet, even with all the fanfare that is currently going with the new PCI 6.4.3 requirements.
Why?
When attackers control your server, they can easily:
Remove the security script completely
Modify security configurations to permit malicious code
Modify the site to enable theft of customer data without detection by client-side solutions
The Supply Chain Threat
Vendors of client-side security often highlight supply chain attacks in their marketing - scenarios where criminals compromise trusted third-party service providers used by multiple merchants.
While these attacks are concerning, especially in light of recent events, our experience and data still shows that they are rare - yes, there have been multiple attacks in the last few years and security solutions should certainly be monitoring for these threats. But in comparison with direct server compromises, the supply chain attacks are currently a "much rarer event".
At Turaco Labs, our global monitoring shows digital skimming attacks have increased 6-fold over the past two years, affecting hundreds of thousands of online stores - yet only a small percentage involved third-party services. Again, Let me re-iterate, this threat should not be ignored and a security solution should be monitoring for these supply chain threats/issues; but in the context of our global stats, supply chain attacks in the eCommerce world are a much rarer event than the usual suspects.
Our Recommended Approach
To effectively protect against digital skimming, take a multi-layered approach:
Implement robust malware and vulnerability monitoring with ThreatView Advanced Edition
Establish effective patch management procedures
Monitor ALL changes to your website file system
Monitor all scripts launched on the site (and check for malware payload)
If you're still considering a client-side solution to "tick your PCI 6.4.3 box", perhaps ask potential vendors this critical question: "What does your solution do to prevent my store from being hacked in the first place?"
Focus your security on applying a multi-layered defence to your business - where you are able to monitor for threats and protect your online business using comprehensive security.
Comments