Jscrambler, the pioneering platform for client-side protection, announced new independent research from Online Business Systems (OBS) titled "Jscrambler's Iframe Integrity And The New PCI DSS Requirements." A leading provider of innovative digital solutions and cybersecurity, the OBS report details Iframe Integrity's success in helping payment service providers/payment gateways (PSPs) offer PCI DSS compliance (for requirements 6.4.3 and 11.6.1) and simplifying SAQ A eligibility for merchants by shielding payment pages from sophisticated e-skimming attacks while ensuring transaction security.

The number of payment card numbers stolen through e-commerce "skimming" attacks is surging. In these incidents, the e-commerce skimmer watches the transaction between the merchant and the consumer, stealing a copy of the customer's payment card data, as it's being entered. With an increasing number of attackers targeting scripts running in a consumer's browser, the PCI Security Standards Council (PCI SSC) has introduced two new requirements in PCI DSS v4.0.1 specifically designed to reduce the risk of client-side e-skimming attacks — requirements 6.4.3 and 11.6.1.

PCI SSC also updated the Self-Assessment Questionnaire (SAQ A), designed for merchants who accept payments but who fully outsource payment processing, for example, by embedding a PSP's payment pages in the merchant's website. In this scenario, all payment processing is managed by the external, PCI DSS-compliant PSP. However, to be eligible to use the updated SAQ A, merchants now must confirm that their e-commerce site is not susceptible to script attacks.

In its new independent research assessment, OBS's PCI SSC accredited Qualified Security Assessors (QSAs) and Offensive Security Services (OSS) experts evaluated Iframe Integrity's effectiveness in meeting the latest anti-skimming requirements, particularly its ability to harden payment pages against a range of threats, including iframe hijacking, iframe overlays, fake iframes, and function hijacking. "Iframe Integrity safeguards payment pages against script attacks by isolating the PSP script and all elements related to the payment form from unauthorized interference by other scripts running on the parent page. Additionally, it mitigates risks where a malicious script on the merchant's parent page could manipulate users into unintentionally exposing their payment data."