SecurityMetrics has seen a dramatic increase in attacks specifically on ecommerce sites using iFrames to host a payment page from a 3rd party service provider.
Ecommerce websites and their shopping carts are being systematically targeted by criminals.
SecurityMetrics has seen a dramatic increase in attacks specifically on ecommerce sites using iFrames to host a payment page from a 3rd party service provider. Iframe hosted payment pages were an effective way for merchants to protect card data in the past, but browser design weaknesses are being used to skim data from within the 3rd party hosted payment pages displayed within an iFrame window.
Ecommerce data skimming is accomplished by injecting malicious scripts into the referring payment page that defeat browser security features like Same Origin Policy, Content Security Policy (CSP), and Subresource Integrity (SRI).
PCI DSS requirements 6.4.3 and 11.6.1 were added to help combat the ecommerce skimming trends.
Requirement 6.4.3 is focused on keeping a careful watch on the scripts you use on your pages. To reduce the possibility of malicious scripts making it onto payment pages, organizations need an inventory of all the known scripts used on those pages.
This inventory must be documented and tracked to ensure that all the scripts used are known, authorized, and that the integrity has been validated.
Requirement 11.6.1 is all about tracking changes made to your pages. Probably one of the biggest things in section 11 was the addition of a requirement to implement a change and tamper detection mechanism for any payment pages. This requirement addition is a direct result of the increase in ecommerce skimming compromises seen on payment pages in recent years.
Before March 31, 2025, companies will have to deploy a solution that will detect changes to those pages that may occur anywhere before the end of payment completion (e.g., script additions, changes to known scripts or web page code).
This is a great addition to the standard and is absolutely needed for ecommerce security.
The data from this report illustrates the need for the new future-dated requirements in PCI DSS v4.0.1 that apply to script security on payment pages or pages that contain the iFrame redirect (e.g., referring payment pages).
Data shown here is compiled from over 2000 ecommerce forensic investigations done by the SecurityMetrics Forensic Team over the past three years. Let’s dive into the data and what it means for you.
SecurityMetrics has conducted over 2000 ecommerce client-side forensic investigations in the past few years specifically looking for malicious skimming behaviors as part of SecurityMetrics’ Shopping Cart Inspect service.
These investigations not only focused on searching for malicious scripts on the client browser side, but also included a detailed analysis of all the scripts being loaded within the 3rd party payment pages as well (e.g., contents of the iFrame source commonly hosted by a PCI DSS compliant service provider).
In 100% of the cases where card data skimming was occurring, the security failure was present on the merchant’s referring page and not because of a malicious script on the 3rd party hosted payment page.
This finding clearly indicates that the main skimming risks are on the merchant’s side, not on the service provider’s side.
Other data gathered from these investigations may also be of interest to merchants and service providers alike.
Based on the results of real world investigations where card data was being lost on ecommerce sites, the main risk is clearly within the merchant's environment and not the service provider's environment.
Therefore, merchants need to be aware of the scripts that they include on their websites (PCI DSS requirement 6.4.3) and check for the presence of malicious scripts and behaviors on any payment or referring payment pages (PCI DSS requirement 11.6.1). This does not excuse service providers from complying with these requirements, but the data shows that the risk is much lower on the service provider’s side.
Due to the nature of card skimming compromises that SecurityMetrics has seen, service providers would not be able to solve this issue for the merchant, unless the service provider took over the entire ecommerce process for a merchant website.
Traditional security tools and policies were not originally developed to identify web based data skimming (particularly ecommerce checkout skimming), especially in dynamic environments like online retail shopping carts. One of the biggest challenges with ecommerce skimming (also known as eSkimming or click jacking), is that it is undetectable by security tools such as antivirus, vulnerability scans, and file integrity monitoring (FIM).
SecurityMetrics WIM technology helps detect these skimming attacks all the way through the ecommerce process from the initial page load to the final point where an ecommerce transaction is completed. Looking fully at the behavior of this dynamic process being played out within the client browser environment is critical to accurate detection and alerting of any malicious behavior.
PCI DSS requirement 11.6.1 mandates organizations implement change detection procedures and technologies to alert personnel to unauthorized modifications to the HTTP headers and contents of the referring or payment page(s) throughout the payment process.
SecurityMetrics’ Shopping Cart Monitor addresses the growing demand for ecommerce threat detection tools by offering a user-friendly solution for eSkimming detection that meets PCI v.4.0.1 requirements for ecommerce security protection.
Shopping Cart Monitor is an agentless solution and doesn’t require a software download or installation of code to your website. Because there is no code installation, cybercriminals are not able to detect it and navigate around it. Additionally, Shopping Cart Monitor does not affect a website's speed or the customer’s shopping experience.
The SecurityMetrics Shopping Cart Monitor service has affordable pricing options that work for small businesses with limited security budgets as well as larger entities that want a higher level of service. Protect Your Customers, Prepare Your Business
Digging deep into real life ecommerce skimming attacks consistently tells us how to prepare and protect companies everywhere. While it’s vital to stay one step ahead of the bad guys, there is a lot to be learned from those who have already been breached or impacted. Advances in security for card present transactions have better protected the brick and mortar merchants, and as a result criminal activity has shifted to ecommerce environments.
Your business is built with the support of your loyal customers, both in person and on the web. Guarding their sensitive information is essential for your success and their trust. Your ecommerce website needs to be secure to keep that trust. Staying educated and prepared makes all the difference.
.svg)
