Requirement 11 is “Test Security of Systems and Networks Regularly”. This is divided into 6 sub-requirements:
Part of the changes to these requirements in PCI DSS 4.0 involves e-commerce skimming attacks. The new standard has adapted in reaction to the rise of form-skimming ‘magecart’ attacks.
This is covered in the new requirement 11.6, which asks that “unauthorized changes on payment pages are detected and responded to”. Much like requirement 6.4, this involves another way of identifying malicious scripts on your webpage.
The guidance for this requirement is as follows:
11.6.1 A change- and tamper-detection mechanism is deployed as follows:
“Many web pages now rely on assembling objects, including active content (primarily JavaScript), from multiple internet locations. Additionally, the content of many web pages is defined using content management and tag management systems that may not be possible to monitor using traditional change detection mechanisms. Therefore, the only place to detect changes or indicators of malicious activity is in the consumer browser as the page is constructed and all JavaScript interpreted.”
To summarise this in more simple terms:
Essentially, in response to a rise in e-commerce form-skimming attacks, the updated PCI DSS aims to introduce security measures that protect payment pages from malicious activity.
The standard also provides guidance on how to fulfil this requirement. For example, The PCI Council suggests that “External monitoring by systems that request and analyze the received web pages (also known as synthetic user monitoring) can detect changes to JavaScript in payment pages and alert personnel”.
As RapidSpike is a synthetic user monitoring tool, you can use this to protect your payment pages. The best way is through setting up Attack Detection within your account.
Read on to learn about how to use RapidSpike to fulfil this requirement.