Section 6.4.3 requires that companies confirm that each script is authorized, ensure the integrity of the scripts, and maintain a complete inventory that explains why each script is necessary. Section 11.6.1 applies to merchants that include a third party's iframe payment form on their websites; it compels an evaluation of the HTTP header and payment page periodically (usually every seven days) that looks for and notifies the merchant about any changes to the page.
The anti-skimming requirements are necessary because attackers are launching Web skimming campaigns by injecting malicious code into Magento, WooCommerce, Shopify, and WordPress sites. Magecart skimmers have been found on 2 million websites, including those of Ticketmaster and British Airways.
The Jscrambler tool searches for and collates all scripts on a merchant's site, performing script verification and authorization, and then logging the results, including compliance status. It visualizes each script, highlighting actions that are considered suspicious, analyzes scripts for function and generates justifications for using each. Alerts are triggered if scripts are tampered with, the contents of the payment page are changed without authorization, and the HTTP header is altered. All of these functions reduce manual compliance efforts and assist in generating audit-ready reports, the company said.