PCI Tamper Detection and Protection

It sounds simple, but
nothing could be further from the truth

PCI DSS 4.0 has two new requirements that apply to every organization that is required to be PCI Compliant; no matter what merchant level you are; and no matter what type of SAQ you use
(yes - including SAQ-A).

Confirm that each script is inventoried
Confirm that each script is authorized
Assure the integrity of each script
Maintain an inventory of all scripts with written justification

Requirement 6.4.3 focuses on the management and integrity verification of payment page scripts but also includes the pages and navigational flows leading up to the payment page. It requires maintaining a comprehensive inventory and conducting periodic validations to ensure script authenticity throughout the entire payment process pathway.

Implement a method to detect changes and tampering
Implement a method to evaluate the HTTP header and payment page as received by the consumer browser

Requirement 11.6.1 focuses on tamper detection for HTTP headers and the contents of payment pages. This requirement underscores the critical role of browser-level monitoring in web security, especially as web pages increasingly aggregate content from various internet sources.
‍

<scripts> on <scripts> on <scripts>

Website scripts can be useful and convenient, but they can also be really dangerous. Some are easy to understand, and some are not.

For example, someone in marketing might load a social media analytics script on your website. They may justify it saying that it is required to understand the profile of your visitors. But who is responsible for making sure that script isn’t malicious? Is someone tasked with providing a code review on the social media's analytics page or do you just trust that it doesn't steal data.

Inline Scripts
Scripts within the page

<script type=“text/javascript”> function sayHello() {alert(“Hello World!”)} </script>

1st Party Scripts
Scripts hosted in same domain

<script type="text/javascript" src="/localhost/
javascript.js"></script>

3rd Party Scripts
Scripts from another domain

<script type="text/javascript" src="http://www.google.com/
javascript.js"></script>

...and there is a bigger issue

3rd party scripts are the silent killer. There is a cascading trust issue when you use 3rd party scripts. These 3rd party scripts can be described as a ‘script within a script’. In some cases, the issue cascades, and you find ‘script within a script within a script’, or better summarized as ‘n^th party scripts’. In these cases, you cannot see what the actual script at the end of the chain is doing, and many times you cannot add an sub resource integrity (SRI) tag to these 3rd party scripts.

Components and Functionality

Cloud and On-prem

Use the same processes to scan data in all locations.

Distributed Scanning

Use satellite scanning nodes to process data in residency regions or cloud locations.

Virtually no false positives.

DataStealth is built for enterprise. With fast and easy integration that’s as simple as updating your DNS.

Data Lineage

Classification of not only where sensitive data is located, but also related objects and copies.

Learn More

API, Demand, or Scheduled

Initiate scans via API integrations, on-demand, or scheduled to run off-hours or on a regular schedule.

Learn More

what we do

Components and Functionality

Cloud and On-prem

Use the same processes to scan data in all locations.

Protect payment card data.

Reduce PCI audit scope.

Comply with new PCI DSS 4.0 requirements.

Learn More Schedeule Demo

Data Lineage

Classification of not only where sensitive data is located, but also related objects and copies.

De-risk non-production environments with high-fidelity substitute data.

Learn More Schedeule Demo

Distributed Scanning

Use satellite scanning nodes to process data in residency regions or cloud locations.

Learn More Schedeule Demo

API, Demand, or Scheduled

Initiate scans via API integrations, on-demand, or scheduled to run off-hours or on a regular schedule.

Learn More Schedeule Demo

DataStealth for PCI Tamper Detection and Protection

DataStealth's Tamper Protection is an innovative solution specifically designed to meet and exceed the stringent requirements of PCI DSS 4.0, particularly focusing on requirements 6.4.3 and 11.6.1., offering organizations a robust and efficient way to protect against tampering and unauthorized modifications.

100% browser compatibility

Datastealth is not a script-based solution and does not have browser compatibility issues.  We support every version of every browser. We are future-proof.

Datastealth is an automated solution that doesn't rely on human intervention when tampering or changes are detected.

Humans are the weakest link

Real-Time Script Cataloging

Each time a payment page is loaded, DataStealth dynamically analyzes its structure to catalogue each script, ranging from directly embedded scripts to those loaded dynamically from external sources.

Comprehensive Script Integrity Checks

For scripts hosted on the payment page, DataStealth employs a sophisticated validation process each time the page is sent from your web server to the consumer browser.

Real-Time Tamper Detection

Unlike conventional methods that perform periodic checks, DataStealth reviews the HTTP headers and the content of payment pages every time they are sent to a consumer browser.

Dynamic Content Monitoring

During the initial onboarding phase, DataSealth performs a comprehensive review of a client's web applications. This involves a thorough examination of scripts, CSS and third-party elements using a script injection method to identify all external and dynamic content.

Integration with Change Control Systems

DataStealth's Tamper Protection seamlessly integrates with clients' change control systems, ensuring that tamper alerts align with internal protocols and compliance.

Traffic Management

We establish a process in advance with our clients, allowing them to select their preferred level of protection against unauthorized changes. This process can range from blocking traffic on payment pages when a tamper alert is received, to simply notifying a designated contact while keeping the page active.

Pre-Approved Change Windows

When updates to the payment pages are anticipated, DataStealth coordinates with clients to inform them about the timing of these changes. This allows us to temporarily disable alerts and notifications during the update process, ensuring no false alarms are triggered. After the updates are completed, we proceed to review the changes.

You thought PCI Compliance was hard?
PCI 4.0 is even harder.