News, news analysis, and commentary on the latest trends in cybersecurity technology.

Jscrambler Launches JavaScript Scanner for PCI DSS 4.0 Compliance

The free tool aims to help organizations meet the requirements of the new version of the payment standard, which takes effect next March.

Dark Reading Staff, Dark Reading

June 28, 2023

2 Min Read
Photo of a young Black woman smiling as she types her credit card information into her laptop computer
Source: NakoPhotography via Alamy Stock Photo

Jscrambler has released a free tool to help companies check the JavaScript code running on their e-commerce sites and bring them into compliance with the latest PCI DSS (Payment Card Industry Data Security Standards) version 4.0.

PCI Security Standards Council released PCI DSS v4.0 in March 2022 and began a two-year phaseout of the previous versions before beginning enforcement. By March 31, 2025, all retailers and e-commerce sites – anyone who handles payment cards online, really – will need to be in compliance with these requirements. Jscrambler's PCI DSS JavaScript Compliance Tool helps organizations assess whether the JavaScript on their e-commerce sites meet to two v4.0 requirements: protection against (6.4.3) and detection (11.6.1) of skimming attacks on all scripts from a merchant or its third- and fourth-party contractors.

Section 6.4.3 requires that companies confirm that each script is authorized, ensure the integrity of the scripts, and maintain a complete inventory that explains why each script is necessary. Section 11.6.1 applies to merchants that include a third party's iframe payment form on their websites; it compels an evaluation of the HTTP header and payment page periodically (usually every seven days) that looks for and notifies the merchant about any changes to the page.

The anti-skimming requirements are necessary because attackers are launching Web skimming campaigns by injecting malicious code into Magento, WooCommerce, Shopify, and WordPress sites. Magecart skimmers have been found on 2 million websites, including those of Ticketmaster and British Airways.

The Jscrambler tool searches for and collates all scripts on a merchant's site, performing script verification and authorization, and then logging the results, including compliance status. It visualizes each script, highlighting actions that are considered suspicious, analyzes scripts for function and generates justifications for using each. Alerts are triggered if scripts are tampered with, the contents of the payment page are changed without authorization, and the HTTP header is altered. All of these functions reduce manual compliance efforts and assist in generating audit-ready reports, the company said.

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights