PCI DSS v4.0 Makes Client-side Security a Priority

A primer on the threat and guidance under 6.4.3 and 11.6.1


Digital skimming, formjacking, e-Skimming, Magecart - these are all methods used to steal credit card data and PII from transaction oriented websites. These attacks occur within the browser, happen while data is at the point of entry rather than in transit or at rest, and are happening at such pace that the PCI Council has signaled that client-side security should be a core concern with the changes found in 4.0.

Join Matt McGuirk, solution architect, Office of the CTO, on July 28, 2022, for a deep dive into how these attacks occur; a breakdown of the current technical environment surrounding client-side security; and analysis of the guidance found in 6.4.3 and 11.6.1 that will help you give consistent and comprehensive guidance to your clients.  

Key takeaways: 

  • Understand how hackers exploit the client-side of an organization’s website
  • Discuss updates included in v4.0, specifically around 6.4.3 and 11.6.1
  • Compare and contrast the available options for implementing this new guidance 
  • Learn how to give recommendations that your clients can adopt rapidly and easily

Client-side attacks have been increasing steadily over the past few years - with hundreds of these attacks happening below the radar every day. They have resulted in millions of stolen credit cards, and billions in financial losses due to fraud, security response cost and fines and judgements. They are made possible by the construct of the modern website - where dozens of 3rd and nth party partners introduce code (outside the control of the website owner) directly into the web browser in order to enhance the user experience, power advertising, drive analytics, etc. This JavaScript is increasingly targeted and compromised by cyber criminals to read and exfiltrate sensitive data from form fills occurring on the targeted sites. 

The PCI Council has made client-side security a major focus of PCI DSS 4.0.
Sections 6.4.3 and 11.6.1 specifically call for preventative measures to close the security gaps that facilitate client-side attacks. Currently, these sections are not required for businesses to be compliant, but they will be in the not too distant future. 

Join Source Defense, the pioneer in client-side security, for an in-depth look into the issue so that you can best inform your clients as to how to address this critical attack surface. 

Please fill out the form to gain access to the webinar recording.