- 07 Mar 2024
- Print
- DarkLight
Introduction
- Updated on 07 Mar 2024
- Print
- DarkLight
Problem Definition
Modern websites are dynamically rendered applications running in every consumer’s browser. They source code at runtime directly from across the Internet to deliver critical business functionality. This forever-changing Nth-party code bypasses traditional security controls and enjoys nearly unlimited access to sensitive user data in the browser. Legitimate 3rd parties accessing this data pose a major privacy risk. But worse, attackers who compromise this supply chain can steal cardholder data and other personally identifiable information (PII) through attacks such as Digital Skimming (e.g., Magecart), Formjacking, and Malicious Redirects.
Lack of real-time visibility and control over scripts and their behavior is among the most serious security threats to online businesses today. In response, PCI DSS 4.0 introduced new browser script management requirements and several government agencies have issued advisories and fines.
Code Defender collects no sensitive sensitive or personally identifiable information.
To learn more, you can visit the HUMAN Blog.
Code Defender Solution
HUMAN Code Defender enables customers to safely benefit from browser scripts, by providing comprehensive client-side visibility and protection. Running in every consumer browser, Code Defender identifies all javascripts and provides deep insight into scripts’ behavior, protects sensitive data from unauthorized access by enforcing automated policies, detects suspicious activity, responds to mitigate malicious behavior without interrupting the website’s operation, and simplifies compliance with privacy regulations and PCI DSS.
PCI DSS for Client-side Defense
PCI DSS 4.0 requirements 6.4.3 and 11.6.1 become mandatory on April 1, 2025 and apply even to merchants who outsource all payment processing (e.g., via iframe or redirect). 6.4.3 requires maintaining an inventory of all scripts with written justification and implementing methods to authorize and assure the integrity of scripts. 11.6.1 requires deploying an alerting mechanism to detect unauthorized modification to scripts and HTTP headers, as received by the consumer browser.*
HUMAN Code Defender simplifies compliance with PCI DSS 4.0’s requirements 6.4.3 and 11.6.1:
- Auto-discover-and-maintain the payment page script inventory and record authorization and justification decisions
- Assure the integrity of scripts and detect changes to scripts and HTTP headers
- Facilitate authorization, justification, and integrity workflows, highlighting progress and action items to reach full compliance
- Automate authorizations and risky script behavior mitigation with simple policy rules
- Export ready-to-go audit reports to demonstrate compliance
*Note: See official PCI DSS 4.0 and PCI DSS 4.0 SAQ-A documents.