PCI Script Monitoring

Overview

Keeping credit card data secure online is an increasing challenge. The Payment Card Industry (PCI) helps ensure online security of credit card data by creating compliance requirements such as the PCI Data Security Standard (DSS) that merchants must adhere to in order to accept online payments.

Because of increased threats over the last few years the compliance requirements have continued to increase in scope. 

The latest PCI DSS guidelines have introduced new requirements to help better secure credit card data by ensuring that code that is loaded onto the payment page is secure and not tampered with.  With the modern internet many sites use various JavaScript libraries hosted by third parties. These can perform important functions such as tracking analytics, adding chat widgets to your site, or managing cookie acceptance. Unfortunately though if these script libraries are added to your site and either already contain malicious code or are altered in the future to contain malicious code, they can easily be exploited to compromise your customers card information. 

Moving forward the PCI guidelines will require that any scripts added to your payment pages have a business justification, are secure, and are monitored for unexpected changes.  To help enable that we have added the PCI Center as a new feature in LearningCart to help our customers comply with those requirements. Within LearningCart we implement a shared risk model. Our team is responsible for things like core platform and server security, but customers are responsible for configuring their site in a secure manner.  Since LearningCart enables our customers to highly customize their site, customers will be responsible for ensuring those changes are PCI DSS compliant.

New PCI Script Monitoring
To ensure that we and our customers can comply with the PCI DSS we have added in the LearningCart PCI Script Monitoring feature under storefront. On a regular basis the LearningCart PCI center will scan your sites payment page and automatically detect what scripts are running on those pages.  Those scripts will then be cataloged and appear in your PCI center.  Customers can then approve them and provide a business justification for their use.  Once a script is approved it will then automatically be monitored for changes and any changes will cause it to need to be approved again.

Additionally in order to enhance security,  your payment page now implements browser based security restrictions. These restrictions may cause some 3rd party JavaScript libraries to be unable to run on this page. This is by design and has been implemented to prevent scripts hosted with 3rd parties from being able to perform malicious actions. 

For most clients the majority of the work will be on their initial scan of their site. Once the initial scan and configuration is done generally speaking it's unlikely their scripts will change.  We recognize that these new PCI requirements will be challenging for many of our customers to comply with so please feel free to open a ticket with our support team so we can assist you if you have any questions. 

Limiting Scripts on the Payment Page
The easiest way to ensure PCI DSS compliance is to tag any scripts in your template that are not essential so they do not appear on your payment page.  In the latest version of LearningCart we have introduced a new tag you can utilize to accomplish that. 

When editing your template you can put  the following before any non essential scripts

<!--START-LC-HIDE-ON-PAYMENT-->

and then put the following after any non essential scripts. 

<!--END-LC-HIDE-ON-PAYMENT-->

When LearningCart creates your payment page it will automatically remove anything within those two tags.  This helps greatly reduce your potential attack surface as well as minimizes ongoing management/review/approval of scripts that you utilize on your site. 

So for example if you have a JavaScript plugin for an image carousel in your template that likely is not needed on your payment page.

You could update the HTML template of your site as follows to remove that from your payment page. 

<!--START-LC-HIDE-ON-PAYMENT-->
<script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/slick-carousel/1.6.0/slick.js"></script>
<!--END-LC-HIDE-ON-PAYMENT-->

LearningCart operates under a shared risk model.  Items such as server/core platform security are managed by our team. Other items such as not sharing account passwords, or not loading malware into your LearningCart account fall under the responsibility of the customer using our platform.