Prevent malicious script execution: do I need a proprietary script management system? “Yes” if you want to respect PCI 6.4.3

PCI 6.4.3 nods to proprietary script management systems that were created to specifically handle the execution of malicious scripts. The Payment Card Industry (PCI) guidelines under 6.4.3 state that all payment page scripts that are loaded and executed in the consumer’s browser are handled as follows:

  • A method is in place to confirm that each script is authorized
  • A method is in place to ensure the integrity of each script
  • An inventory of all scripts is maintained with a written rationale explaining why each is needed

PCI guidance on 6.4.3 lists three potential solutions for organizations to meet these needs: SRI, CSP, and/or a proprietary script management system. Let’s take a look at each of them to gauge their effectiveness in meeting these new guidelines.

SRI does not meet the three requirements of PCI 6.4.3

SRI, or Sub-asset integrity, is a type of File Integrity Monitoring (FIM) where the browser only loads a given asset if its hash matches the one that has been defined in advance. Natively, SRI manages the first point of PCI 6.4.3 but in a roundabout way. Script hashes must be added to your SRI list to allow a script to run on a page. Additionally, SRI also manages the integrity of each script that checks the second chip requirement for PCI 6.4.3.

However, SRI does not comply with the third point, “An inventory of all scripts is maintained with a written rationale explaining why each is needed.” Indeed, SRI is simply a native function of the browser. Thus, the rationale for each script should be kept separate and available to larger teams as needed within your organization.

Additionally, SRI is notorious for being difficult to manage, maintain, and implement. Every time a script changes or updates (and these change thousands of times a year), a new hash must be created and loaded into your SRI hash list. This can be time consuming and lead to website malfunctions when not maintained.

CSP is based on script domain, not code

CSP, Content Security Policy, is similar to SRI in that a list must be created of the scripts running on a given page. Essentially, CSP defines a set of directions that will whitelist script domains. This list is based on the domain of the script and allows the vendor code to be changed and updated without the need to re-authorize the script. Only certain behavior restrictions can be set in a site’s CSP policy.

Yet, CSP is not a viable or sustainable solution for adhering to PCI 6.4.3 guidelines. The problem is that script authorization is domain-based, not code-based. This means that even though you can explicitly grant access to a script, you cannot guarantee the integrity of the script, and once access is granted, the behavior of the script can be difficult to control.

Similar to SRI, CSP is native to the browser and no written justification system exists to enable the written part of the 6.4.3 guidelines. The elephant in the room with CSP is that the original intent was to prevent XSS-based attacks, while eSkimming and other client-side attacks are just an afterthought.

Proprietary script management systems are the ultimate solution to meet PCI 6.4.3

Defense of sources is a proprietary script management system that meets the three elements of PCI 6.4.3. Let’s dive into each chip and find out how the Source Defense platform is the ultimate solution to prevent malicious script execution.

“A method is in place to confirm that each script is authorized”

For nearly a decade, Source Defense technology has been developed to serve as the authoritative source on client-side attacks such as magecart, formjacking, skimming, and other JavaScript-based attacks. The Source Defense Platform audits and authorizes every script on a website and only grants the necessary permissions for the script to function optimally without posing risk.

“A method is put in place to ensure the integrity of each script”

Source Defense protects the end-user experience by eliminating unnecessary latency and protecting the customer journey. This is done by ensuring the integrity of each third party, 4th and nth party script by forcing the third party scripts to load into a virtual page isolated from the visitor’s page. By forcing third-party scripts to behave in a controlled environment, Source Defense is able to give defined permissions to allow or deny the script to perform certain behaviors.

“An inventory of all scripts is maintained”

The Source Defense client-side security platform not only audits third-party and third-party scripts on a site, but also offers advanced security management in an all-in-one, scalable system for complete threat visibility and control across all your client-side security products. Now you have full visibility into your site’s inventory of third-party scripts that reside on every page of your site. This inventory details how many third-party scripts they bring and what permissions each of these scripts has.

Final Thoughts

PCI 6.4.3 details three possible solutions. However, two of these “solutions” are insufficient to meet the three points of guidance. To ensure that your organization remains compliant and to protect your organization and your customers client-side attacksyou must implement a proprietary script management system.

Source Defense is the script management system that will help you prevent malicious scripts from running. Request a demo platform to see it in action.

The post office Prevent malicious script execution: do I need a proprietary script management system? “Yes” if you want to respect PCI 6.4.3 appeared first on Defense of sources.

*** This is a syndicated blog from the Security Bloggers Network of Blog – Source Defense Written by [email protected]. Read the original post at: https://sourcedefense.com/resources/preventing-malicious-script-execution-proprietary-script-management-meet-pci-6-4-3/