Jscrambler has released a free tool to help companies check the JavaScript code running on their e-commerce sites and bring it into compliance with the latest PCI DSS (Payment Card Industry Data Security Standards) v 4.0.
PCI Security Standards Council released PCI DSS v4.0 in March 2022 and began a two-year phase-out of the previous versions before beginning enforcement. By the next year — March 31, 2025 — all retailers and e-commerce sites – anyone who handles payment cards online, really – will need to be in compliance with PCI DSS 4.0 requirements. Jscrambler’s PCI DSS JavaScript Compliance Tool helps organizations assess if the JavaScript on their e-commerce sites comply with two v4.0 requirements: protecting against (6.4.3) and detecting (11.6.1) skimming attacks on all scripts from a merchant or its third- and fourth-party contractors.
Section 6.4.3 requires that companies confirm that each script is authorized, ensure the integrity of the scripts, and maintain a complete inventory that explains why each script is necessary. Section 11.6.1 applies to merchants that include a third party’s iframe payment form on their website; it compels an evaluation of the HTTP header and payment page periodically (usually every seven days) that looks for, and notifies the merchant about, any changes to the page.
The anti-skimming requirements are necessary as attackers are launching web skimming campaigns by injecting malicious code into Magento, WooCommerce, Shopify, and WordPress sites. Magecart skimmers have been found on 2 million websites, including those of Ticketmaster and British Airways.
The Jscrambler tool searches for and collates all scripts on a merchant’s site, performing script verification and authorization and logging the results, including compliance status. It visualizes each script, highlighting actions that are considered suspicious. It analyzes scripts for function and generates justifications for using each. Alerts are triggered if scripts are tampered with, if the contents of the payment page are changed without authorization, and if the HTTP header is altered. All these functions, the company said, reduce manual compliance efforts and assist in generating audit-ready reports.