PCI DSS v4.0 encourages better defenses against Magecart-style assaults

A major revision of the payments card industry PCI DSS standard encourages better defenses against Magecart-style skimming attacks

A major revision of the payments card industry’s PCI DSS standard includes measures designed to encourage e-commerce providers to build better defenses against JavaScript-based card-skimming attacks.

The recently released fourth revision of the Payment Card Industry Data Security Standard (PCI DSS v4.0) – which sets baseline requirement for organizations that handle payment or credit card data – has been beefed up to up the ante in the fight against so-called Magecart-style attacks, among other improvements.

RELATED Magecart Group 12 unleashes stealthy PHP skimmer against vulnerable Magento e-commerce sites

Emma Sutcliffe, SVP standards officer of the PCI Security Standards Council (PCI SSC), told The Daily Swig: “PCI DSS v4.0 includes two new requirements aimed to help prevent and detect digital skimming in e-commerce environments. The first new requirement covers the management of payment page scripts that are loaded and executed in the consumer’s browser.

“The second new e-commerce requirement involves a mechanism to detect changes or indicators of malicious activity on payment pages. These requirements help mitigate the risks introduced by the highly dynamic nature of web pages, where content is frequently updated from multiple internet locations.”

Digital storefronts

Web-based credit card skimming malware has become a growing menace for e-commerce shops.

This threat shows no sign of abating anytime soon and, worse still, security vendors at the forefront of researching the threat are uncovering possible evidence of greater collaboration between groups.

The revisions to PCI DSS v4.0 to better defend against Magecart-style attacks were welcomed by web security consultant Scott Helme in a recent technical blog post.

Catch up on the latest Magecart (card skimmer) security news

Adam Hunt, CTO at RiskIQ, told The Daily Swig: “As security researchers shine more light on the world of Magecart, and as the PCI SSC standards continue to evolve, we see that this vast card-skimmer underworld is increasingly intertwined and connected.

“In drawing these parallels between different attacks, skimmers, and other infrastructure, many things have become more transparent – such as which groups are responsible, how they target their victims, and how their tooling evolves. It is these signifiers that companies should be looking out for.”

The latest attacks sometimes involve a cocktail of blended threats.

Hunt explained: “In many recent Magecart compromises, we've seen increasing overlaps in infrastructure used to host different skimmers that seem to be deployed by unrelated groups that use various techniques and code structures. We also observe new variants of skimmers reusing code seen in the past.

“This overlapping infrastructure could include a hosting provider used by several skimming domains loading multiple, unrelated skimmers – the Inter skimmer and different versions of Grelos, for example. We even observed domains loading different skimmers from the same IP address."

Filter phish

PCI DSS v4.0 (PDF) is the first major revision of the payment card industry’s most important standard in the last eight years. Alongside the measures aimed at combating Magecart, PCI DSS v4.0 two new requirements to help address phishing attacks.

PCI SSC’s Sutcliffe explained: These include the use of processes and automated mechanisms to detect and protect personnel against phishing attacks and incorporating phishing and social engineering into security awareness training.

Sutcliffe concluded: “Another goal with PCI DSS v4.0 is to provide increased flexibility for organizations that use new and innovative methods to achieve security objectives. The updated requirements and flexibility built into PCI DSS v4.0 are supported by additional guidance throughout the standard to help organizations secure payment data now and into the future.”

RELATED African banking sector targeted by malware-based phishing campaign