Shopify has issued a warning about a significant change in the PCI-DSS v4 standard that has been in effect since 2022 but will be enforced starting March 31, 2025. The requirement 6.4.3 mandates that scripts loaded on users’ browsers must be verified for accuracy at all times.
This requirement aims to address the problem of digital skimming, where malicious actors embed scripts in online stores to capture credit card numbers. When users enter their card details into a form, the script captures the numbers and sends them to its own server.
PCI-DSS v4 regulations mandate that merchants document which scripts are used for what reasons, implement controls to only load authorized scripts, and ensure the accuracy of the scripts being loaded.
Furthermore, this regulation extends to parent frames as well. Previously, payment service providers often only partially complied with PCI-DSS requirements by embedding iframes. However, hackers could manipulate the parent frame and change the iframe to a phishing website.
Modern browser technologies have multiple mechanisms in place to verify the accuracy of scripts. For example, Content Security Policy (CSP) defines script loading policies and alerts for anomalies, while Subresource Integrity (SRI) allows systems to validate the hashes of scripts continuously. This prevents attackers from controlling the website to some extent, such as modifying files in the CDN. If the hashes do not match, the scripts will not be loaded or executed.
TLDR: Shopify warns about changes in PCI-DSS v4 standard, mandating accurate script verification on browsers to combat digital skimming. Modern browser technologies like CSP and SRI help ensure script integrity.
Leave a Comment