The digital payment ecosystem is under constant attack, and a recent campaign exploiting a legacy Stripe API has brought a new level of urgency to securing payment pages. Cybercriminals used this API to validate stolen credit card details, combining it with malicious scripts injected into payment pages to skim sensitive data. This attack highlights the evolving sophistication of skimming campaigns and the critical need for compliance with PCI DSS Requirement 6.4.3.

The Attack: A Wake-Up Call for Payment Security

In this campaign, attackers exploited a legacy Stripe API to validate stolen card details in real time. By injecting malicious JavaScript into payment pages, they were able to skim sensitive payment information directly from users. This attack was particularly dangerous because it could evade detection by only exfiltrating valid card data, ensuring the stolen information was immediately usable.

This incident underscores the vulnerabilities that can arise when legacy APIs and unsecured client-side scripts are not properly managed. It also demonstrates why the PCI DSS v4.0 Requirement 6.4.3 is a game-changer for payment security.

What is PCI DSS Requirement 6.4.3?

PCI DSS Requirement 6.4.3, introduced in version 4.0 of the standard, focuses on securing client-side scripts that execute on payment pages. It requires organizations to:

• Maintain an inventory of all scripts running on payment pages.
• Justify the necessity of each script.
• Implement controls to ensure that only authorized scripts are loaded and executed in the consumer’s browser.

This requirement is designed to address the growing threat of JavaScript-based skimming attacks, like the one targeting the Stripe API. By enforcing tighter controls over client-side scripts, businesses can significantly reduce the risk of such attacks.

Why Compliance is Non-Negotiable

The consequences of non-compliance with PCI DSS can be severe. Beyond the risk of data breaches, businesses face potential fines, reputational damage, and loss of customer trust. The recent Stripe API attack is a stark reminder of the importance of securing payment pages and adhering to the latest security standards. Even if you use a PCI-compliant payment processor like Stripe, your organization is still responsible for addressing potential gaps in your security posture. As noted in Stripe’s own documentation, businesses must ensure that their integration and client-side scripts meet PCI DSS requirements to avoid vulnerabilities. With 4.0 compliance becoming mandatory in 2025, now is the time to act.

How AccessIT Group Can Help

Navigating the complexities of PCI DSS compliance can be challenging, but you don’t have to do it alone. As a Qualified Security Assessor (QSA), AccessIT Group specializes in helping businesses understand and meet PCI DSS requirements. Our team of experts can:

• Conduct a comprehensive assessment of your payment page scripts.
• Guide you through the implementation of PCI DSS Requirement 6.4.3.
• Provide tailored solutions to ensure your organization achieves and maintains compliance.

Whether you’re just starting your compliance journey or need assistance adapting to the new requirements, AccessIT Group is here to help.

Take Action Today

The evolving threat landscape demands proactive measures to secure payment data. By prioritizing compliance with PCI DSS Requirement 6.4.3, you can protect your customers, safeguard your reputation, and stay ahead of cybercriminals.

Ready to get started? Contact AccessIT Group today to learn how we can help you achieve PCI DSS compliance and fortify your payment security. Don’t wait until it’s too late-take the first step towards securing your business and your customers’ data.

You can read more about this story here.

By: Chad Barr – Director of Governance, Risk & Compliance – CISSP | CCSP | CISA | CDPSE | QSA