Client-Side Risks Under PCI DSS 4.0: What You Need to Know

It feels like just yesterday that the Security Standards Council released the latest version of the Payment Card Industry Data Security Standard (PCI DSS). Now, a full year later, version 4.0 is in effect. Industries following the Standard had this past year to implement the new changes. The Standard includes limited exceptions for specific requirements, classifying them as best practices until March 31, 2025. However, just as quickly as the new Standard became effective, 2025 will be here before we know it.

Two revised requirements that should be of particular interest to those working toward PCI DSS 4.0 compliance include:

6.4.3.a – Examine policies and procedures to verify that processes are defined for managing all payment page scripts that are loaded and executed in the consumer’s browser in accordance with all elements specified in this requirement.
11.6.1 – A change- and tamper-detection mechanism is deployed as follows:
- To alert personnel to unauthorized modification (including indicators of compromise, changes, additions, and deletions) to the HTTP headers and the contents of payment pages as received by the consumer browser.
- The mechanism is configured to evaluate the received HTTP header and payment page.

Most notably, in these two sections, the new requirement focuses on client-side attacks. These days, browsers have become so powerful that they can be likened to operating systems in their own right. They manage numerous processes internally to effectively deliver webpages to end users. Almost all major websites rely on third party, first party or inline scripts to deliver some or all of their content. The new requirement aims to minimize unnecessary scripting, decrease the attack surface of the web application, and verify the integrity of executed scripts.

Monitoring has consistently been a cornerstone of security, emphasized in every iteration of PCI DSS. The latest version of the Standard expands monitoring capabilities to encompass alerts and mechanisms for HTTP artifacts, introducing controls on the client side, complementing previous server-side security requirements

Fortra Managed Web Application Firewall (WAF) not only monitors but also proactively prevents tampered, unknown, or unauthorized scripts from executing. This advanced approach surpasses PCI requirements and outperforms other WAF solutions that merely alert upon detecting significant changes in script behavior. By thwarting malicious script execution, such as those targeting payment card data theft and web skimming attacks like Magecart, Fortra Managed WAF ensures superior security outcomes and automated compliance.

What is a web application firewall (WAF)?

A WAF acts as a filter for web traffic, applying rules to HTTP/HTTPS communications to monitor, filter, and prevent malicious activity. It monitors all traffic going to and from a web application, akin to a set of thick gates outside a building that are raised up or down based on the perceived safety of incoming and outgoing traffic. With the proliferation of web apps in business, it’s critical that organizations can accurately distinguish good traffic from the bad in real-time.

Of course, Fortra Managed WAF offers customized control of the process, giving you the option to investigate the necessity of a script before it takes any action that might disrupt your payment processing capabilities.

Some of the specific ways Fortra Managed WAF helps your organization with PCI DSS compliance include:

Enhanced client-side protection controls, eliminating both reflected and inline (stored) cross-site scripting (XSS) attacks. Since inline attacks are where most XSS attacks occur, our prevention technology drastically reduces this risk.
Identification of all inline, first- and third-party scripts. This gives app owners a clear understanding of their attack surface scope, including authorization and enforcement controls utilizing content security policies and inline response re-writing and integrity checks to execute only authorized, unmodified content.
Working with our global SOC when developing new inline active content so the WAF can be configured to execute only authorized scripts.

Fortra Managed WAF streamlines compliance and minimizes tool sprawl with its advanced automated controls and enhanced protections. What sets our WAF apart is our comprehensive approach beyond mere inventory management, actively reducing attack surfaces and rigorously enforcing restrictions on unauthorized scripts. We believe that enforcing approved script executions is critical for upholding PCI DSS regulations, safeguarding payment card data vulnerable to swift theft by malicious scripts, where recovery post-compromise is often impossible.

The Security Standards Council was wise to make compliance with Requirements 6.4.3.a, and 11.6.1 a best practice for this first year, as it provides ample time for organizations to fully test the environment prior to full implementation, and prior to it becoming mandatory. With Fortra Managed WAF, your organization can show the frequency of your monitoring and corrective efforts.

The latest iteration of PCI DSS is now active, and Alert Logic is ready to collaborate with you on your PCI DSS 4.0 compliance efforts. Whether you’re embarking on your DSS compliance journey or updating your current environment to meet the new standard, rely on us as your trusted partner to ensure optimal outcomes.