The IT Nerd

Pedro Fortuna, CTO and Co-Founder, Jscrambler has shared with me his predictions for 2024. He’s got three of them to share:

JavaScript Targeted Attacks Accelerates

“In 2024, we predict organizations will encounter persistent challenges concerning their JavaScript and its associated cybersecurity vulnerabilities. Driven by Large Language Models (LLMs), attacks will become more advanced and written with higher levels of speed and sophistication, enabling accelerated learning and control circumvention. Companies will have to evolve their security strategies and implement measures, such as JavaScript code protection, that prevent LLM-powered threats from leveraging early automated learning steps.”

3rd-Party Tag Leakage Fueled by LLM

“Additionally, we anticipate an exponential increase in the leakage and misuse of consumer data collected by 3rd-party tags. Marketing, analytics and payment tag vendors pressured to compete in the market will utilize LLM to improve customer experiences and differentiate services. This will require an increased amount of consumer PII data to be collected which will often go uncontrolled and unmonitored. This collection and processing of more consumer data will have direct and negative consequences on consumer privacy. Therefore, it is imperative for web owners to proactively prepare themselves for this shift and safeguard consumer data through the implementation of 3rd-party script and tag controls. Without proper controls on the collection of consumer data by LLM, it may be too late to prevent the data from being used to train the LLM models, resulting in irreversible consequences. Once done, there’s a risk of potential data leaks by the LLM, as the security of LLMs is still in its infancy.”

PCI v4.0 Moves to Action

“With the increase in JavaScript abuses and e-skimming attacks, we saw the evolution of standards including PCI v4.0 to improve payment page security. While 2023 was the year of preparation for the new PCI v4.0 requirements, 2024 will transition from education to action, as it brings us closer to PCI v4.0 taking mandatory effect in 2025. Companies will quickly move from standards research to vendor research, selection and implementation to effectively prepare for the new 6.4.3 and 11.6.1 payment page security requirements. The best-prepared companies will assess current 3rd-party tag usage and business authorization processes before implementing new technology.”

Jscrambler today announces it has been assessed as compliant with PCI DSS v4.0  following an external assessment by Advantio, a leading Qualified Security Assessor (QSA), signifying the high-security standards Jscrambler’s platform and environment meets. This achievement, ahead of the April 1st, 2024 deadline for meeting the new standard underpins Jscrambler’s dedication to protecting its customers’ sensitive data and ensuring the security of their financial transactions. 

To be assessed as compliant with PCI DSS, companies must demonstrate the ability to protect both their assets and their clients. While Jscrambler does not store, process, or transmit cardholder data, Jscrambler does provide an agent that is present on customer payment pages. Service providers that can affect the security of cardholder data are considered in the scope of PCI DSS v4.0. 

The Payment Card Industry Data Security Standard (PCI DSS) is a global standard that provides a set of requirements for protecting Cardholder Data. Version 4.0 represents the state of the art in terms of cyber security and demonstrates a commitment to ensuring the protection of customer’s data. The requirements listed in PCI DSS v4.0 will mandate that the businesses that handle (store, process or transmit) or who could affect the security of payment data implement a set of controls (technical, physical and human) to protect such data. PCI DSS compliance must be renewed annually to ensure continued compliance with the security standard. This is an ongoing commitment that reflects dedication to data protection and transaction security. 

New PCI DSS v4.0 Requirements Attempt to Mitigate Expanding Surface Area Risk

JavaScript has become the building block of nearly every modern-day web page. While it can serve many purposes, it can also deliver unprecedented and sometimes unseen security risks that last for months, should it not be monitored properly. The introduction and widespread use of third-party JavaScript is one example, as online businesses increasingly struggle to maintain complete visibility and control over these scripts. Earlier this year, Jscrambler found that 80% of the 20 most highly trafficked US  e-commerce websites had an average of 148 JavaScripts on their payment pages. For these reasons and more, PCI DSS has included specific requirements (6.4.3 and 11.6.1) designed to minimize this increasing attack surface area, manage all JavaScript executing on payment pages, and detect any tampering or unauthorized changes to the payment page that can result in leaking of the cardholder data. 

Jscrambler is fully committed to PCI DSS, with its Co-founder and CTO, Pedro Fortuna, serving as a member of the PCI SSC Board of Advisors and recently having been added as a Principal Participating Organization. With Jscrambler having been externally assessed as compliant with PCI DSS v4.0, clients of Jscrambler can reliably utilize the Jscrambler Client-Side Protection Platform to both protect cardholder data that is entered into a customer’s web page from skimming attacks and to meet the PCI-DSS v4.0 requirements 6.4.3 and 11.6.1. These new requirements are currently considered ‘best practice’ until April 2025 when they become mandatory. Implementing the new requirements will ensure that merchants can prevent and detect unauthorized changes to JavaScript code. For this reason, service providers and merchants must prepare for PCI DSS v4.0 as they can impact the security of the cardholder data environment (CDE). 

To find out more about the potential impacts of first and third-party JavaScript on payment pages, read Jscrambler’s most recent blog post, Are Non-PCI Compliant Scripts Putting Your Business at Risk?

Customers, prospects, and partners may receive the Jscrambler Attestation of Compliance (AOC) report upon request by contacting their account manager.

The QSA company in charge of this project has been Advantio, an Integrity360 company, with over ten years of experience providing PCI consultancy and formal validation services worldwide via a large team of multilingual subject matter experts.