While Content Security Policies (CSPs) are an important tool for securing web applications against a range of security threats—particularly related to content injection attacks like Cross-Site Scripting (XSS)—they are not a complete solution for meeting PCI DSS 4.0’s Requirement 11.6.1. This article will explore why CSPs do not fully satisfy this requirement and why webpage integrity monitoring is the easiest and most effective method that does.

Functionality Necessary to Fully Satisfy PCI DSS Version 4 Requirement 11.6.1

The Payment Card Industry Data Security Standard (PCI DSS) is a rigorous security standard designed to protect cardholder data and secure the systems that store, process, or transmit it. A new requirement introduced in PCI DSS version 4.0 is Requirement 11.6.1, which mandates that organizations must deploy a change- and tamper- detection mechanism to do all of the following:

• Evaluate the HTTP headers and all the content of payment pages, as received by the browser
• Alert personnel of unauthorized modification to HTTP headers and website content, including content loading from third parties

The ultimate objective of PCI DSS Requirement 11.6.1 is to proactively identify and address changes to payment page content that could negatively impact the security of sensitive cardholder data.

E-Skimming is when an attacker tampers with code on a payment page in order to steal sensitive information, especially cardholder data. Attackers can do this by modifying the code loaded by the webserver itself, or by modifying the code provided by third parties, such as scripts loaded dynamically when the page is built by the browser. Third-party scripts are commonly used on payment pages for traffic monitoring, payment processing, and many other purposes. In these common situations, the webserver only serves a portion of the payment page. The rest of the payment page is loaded by the browser based on the instructions included in the payment page code. In other words, the code used to perform E-Skimming attacks could load from a third-party, and it would never even be seen or handled by your webserver. This makes E-Skimming attacks difficult to detect from your server, because only the browser is able to see cases of malicious code loading from third-party sources. This is why the guidance from the PCI DSS for Requirement 11.6.1 states that the only place to detect indicators of thys type of malicious activity is from the perspective of the browser where all content is loaded. TamperDetect’s page integrity monitoring service does exactly this.

A Content Security Policy (CSP) is a web security standard designed to prevent a wide range of attacks. A CSP defines a set of rules and directives that govern which resources (e.g., scripts, images, and stylesheets) are allowed to load and execute on a website. By specifying allowed sources and blocking unauthorized content from running, CSPs effectively reduce some of the risk of malicious content getting injected into web applications.

But what happens when an attacker is able to compromise a source that is allowed by the CSP? If an attacker is able to change the code and content from sources that are authorized by the CSP, then the changes do not violate a Content Security Policy, and the CSP is rendered ineffective in stopping the attack.

Alternatively, what if the attacker is able to compromise your webserver? In this case the attacker may gain access to change the CSP however they like, once again rendering the CSP useless.

Another major shortcoming of CSPs is that they cannot alert your or your team of any unauthorized modifications of content. Alerting personnel to unauthorized tampering/modification of content is a critical function for satisfying 11.6.1 because it allows you and your team to investigate and resolve potential attacks quickly.

The page integrity monitoring service provided by TamperDetect is designed to evaluate all code used on payment pages, including third-party scripts, as received and loaded by a browser. As you would expect, one of the main warning signs of a potential E-Skimming attack is unauthorized changes to code that targets sensitive fields in payment pages. TamperDetect’s page integrity monitoring can use AI to identify the sensitive input fields on your payment page, then notify you of any new content that may be trying to access those critical fields.

TamperDetect features customizable alerts to notify your security team of any content changes that may need to be investigated, including code, images, and stylesheets. Our intelligent monitoring and advanced comparison tools will help you to quickly pinpoint specific content changes on your monitored page. In addition, our script management tools will help you to inventory and document the authorization of all third-party scripts used on your payment pages (to streamline your compliance with PCI DSS Requirement 6.4.3).

With our expert support team and innovative solutions, there is simply no more effective way to monitor your critical pages for suspicious changes.

Contact us for a free demo of how TamperDetect can help you to satisfy PCI DSS Requirements 11.6.1 and 6.4.3!