This user guide will walk you through how to use Feroot’s suite of tools to meet PCI-DSS requirement 6.4.3 on your e-commerce webpages that handle card payments.
Step 1: Maintain an Inventory of Necessary Scripts
What You Need:
- Feroot Inspector
- List of domains where you have payment pages
- Optional: List of URLs of your static payment pages
- Optional: List of dynamic payment pages. Dynamic payment pages are webpages with conditional forms. For example: if a user is required to add an item to the shopping cart, or complete an Ship To form, or enter an invoice number, or login into their user account before payment page form is displayed in the browser.
How to:
Use Feroot Inspector’s Access Insight Report: This tool will show you all scripts that are present on the page. Use this report to confirm that each script loaded on your payment page is authorized and is necessary to accept a payment transaction.
Definition:
“Necessary” for this requirement means that each script is justified and confirms why it is needed for the functionality of the payment page to accept a payment transaction.
Maintain Script Inventory:
- Navigate to the Access Insight Report or Pages Report within Feroot Inspector to review all scripts.
- You can export inventory of scripts with your QSA and/or to store in your master PCI record keeping system.
Threat Assessment to Maintain Script Integrity:
Feroot Threat Intelligence continuously assesses scripts for vulnerabilities, malware, or connections to malicious hosts. This ensures the integrity of each script on your payment page, safeguarding against potential threats.
- Navigate to the Attack Surface Dashboard and or Pages Report within Feroot Inspector to review scripts for presence of
- Malware
- Malicious hosts (if scripts are loaded from or are sending data to hosts associated with Malicious activities
Vulnerabilities
Pages Report
Data Asset Report
2. You can export invetory of scripts with your QSA and/or to store in your master PCI record keeping system.
Step 2: Verify Script Authorization with Feroot Inspector
What You Need:
- Feroot Inspector
How to:
Open Feroot Inspector’s Access Insight Report and select payment form fields.
Export Inventory: Utilize the Access Insight Report to export a comprehensive inventory of all scripts running on your payment pages.
Justify Script Necessity:
Document written justifications for each script’s presence on your payment page, ensuring you have a clear record of their necessity and authorization.
Step 3: Activate Alerts for Unauthorized Scripts with Feroot Inspector
What You Need:
- Feroot Inspector’s Access Insight Report
- List of authorized scripts
How to:
Keep Inventory Updated:
Regularly update your inventory of authorized scripts using the Access Insight Report and Page Details Scripts report.
Set Up Alerts:
Configure Feroot Inspector to alert you immediately if any unauthorized scripts or code are detected on your payment pages, ensuring rapid response to potential threats.
Step 4: Use Feroot DomainGuard for Content Enhanced Security
What You Need:
- Feroot PageGuard
How to:
Activate Security Policy and Tag Controls: Use Feroot PageGuard to ensure that only necessary content, scripts, and code are loaded onto your payment pages. This minimizes the risk of unauthorized content and helps in eliminating unnecessary scripts that could be exploited.
Click on User Documentation for detailed instruction for setting up PageGuard (Script Tag) Security Policy User Documentation https://app.feroot.com/docs/#/
Summary of Best Practices and Tips
- Understand Script Functionality: Regularly review the functionality of all scripts on your payment page to ensure they are necessary for its operation.
- Monitor for Unauthorized Script Behavior: Use Feroot’s tools to monitor scripts for any unauthorized behavior, such as data skimming or other malicious activities.
- Stay Updated on PCI DSS Requirements: Keep informed about the latest PCI DSS requirements and ensure your compliance strategies evolve accordingly.
By following these steps and utilizing Feroot’s comprehensive security solutions, you can ensure that your payment pages are not only compliant with PCI DSS 4.0 requirement 6.4.3 but also offer a secure environment for your customers to conduct transactions.
Step 5: Implement Feroot PageGuard for Enhanced Security
What You Need:
- Feroot PageGuard
How to:
Activate Security Policy and Tag Controls: Use Feroot PageGuard to ensure that only necessary content, scripts, and code are loaded onto your payment pages. This minimizes the risk of unauthorized content and helps in eliminating unnecessary scripts that could be exploited.
Click on User Documentation for detailed instruction for setting up PageGuard (Script Tag) Security Policy User Documentation https://app.feroot.com/docs/#/
Summary of Best Practices and Tips
- Understand Script Functionality: Regularly review the functionality of all scripts on your payment page to ensure they are necessary for its operation.
- Monitor for Unauthorized Script Behavior: Use Feroot’s tools to monitor scripts for any unauthorized behavior, such as data skimming or other malicious activities.
- Stay Updated on PCI DSS Requirements: Keep informed about the latest PCI DSS requirements and ensure your compliance strategies evolve accordingly.
By following these steps and utilizing Feroot’s comprehensive security solutions, you can ensure that your payment pages are not only compliant with PCI DSS 4.0 requirement 6.4.3 but also offer a secure environment for your customers to conduct transactions.
