Industry standard

Revised credit card industry standard to ward off card skimming attacks

PCI DSS v4.0 promotes better defenses against Magecart-type attacks

A major revision to the payment card industry’s PCI DSS standard includes measures designed to encourage e-commerce providers to implement better defenses against JavaScript-based card skimming attacks.

The recently released fourth revision of the Payment Card Industry Data Security Standard (PCI DSS v4.0) – which defines baseline requirements for organizations that process payment or credit card data – has Been reinforced to up the ante in the fight against so-called Magecart-type attacks, among other improvements.

RELATED Magecart Group 12 Releases Stealth PHP Skimmer Against Vulnerable Magento Ecommerce Sites

Emma Sutcliffe, SVP Standards Manager of the PCI Security Standards Council (PCI SSC), said The daily sip“PCI DSS v4.0 includes two new requirements to help prevent and detect digital skimming in e-commerce environments. The first new requirement relates to the management of payment page scripts that are loaded and executed in the consumer’s browser.

“The second new e-commerce requirement involves a mechanism to detect changes or indicators of malicious activity on payment pages. These requirements help to mitigate the risks introduced by the highly dynamic nature of web pages, where content is frequently updated from multiple internet locations.

Digital showcases

Web-based credit card skimming malware has become a growing threat to e-commerce stores.

This threat shows no signs of abating anytime soon and, even worse, security vendors at the forefront of threat research are uncovering possible evidence of greater collaboration between the groups.

Revisions to PCI DSS v4.0 to better defend against Magecart-type attacks were welcomed by web security consultant Scott Helme in a recent technical blog post.

Keep up to date with the latest security news from Magecart (card skimmer)

Adam Hunt, CTO at RiskIQ, said The daily sip“As security researchers shed more and more light on the world of Magecart and PCI SSC standards continue to evolve, we find that this vast underworld of card skimmers is increasingly intertwined and connected.

“By drawing these parallels between different attacks, skimmers and other infrastructure, a lot of things have become more transparent – ​​like which groups are responsible, how they target their victims and how their tools evolve. It is these signifiers that companies should seek.

The latest attacks sometimes involve a cocktail of mixed threats.

Hunt explained, “In many recent Magecart compromises, we have seen increasing overlap in the infrastructure used to host different skimmers that appear to be deployed by independent groups using various techniques and code structures. There are also new variants of skimmers reusing code seen in the past.

“This overlapping infrastructure could include a hosting provider used by multiple skimming domains loading multiple unrelated skimmers – Inter Skimmer and different versions of Grelos, for example. We even observed domains loading different skimmers from the same IP address.”

Filter Phishing

PCI-DSS v4.0 (PDF) is the first major revision to the payment card industry’s most important standard in the past eight years. Along with measures to combat Magecart, PCI DSS v4.0 two new requirements to help combat phishing attacks.

PCI SSC’s Sutcliffe explained: These include the use of automated processes and mechanisms to detect and protect staff from phishing attacks and the integration of phishing and social engineering into cybersecurity awareness training. security.

Sutcliffe concluded, “Another goal of PCI DSS v4.0 is to provide increased flexibility to organizations using new and innovative methods to achieve their security goals. The updated requirements and flexibility built into PCI DSS v4.0 are supported by additional guidance throughout the standard to help organizations secure payment data now and in the future.

RELATED African banking sector targeted by malware-based phishing campaign