The Ongoing Battle to Protect Consumer Payment Card Data

Buying goods online is second nature to most of us. Using our payment card whilst we shop online rarely gives us pause, and the many millions who buy online generally trust the system. 

However, the recent busy shopping season means it’s a good time to remind ourselves that there is an ongoing battle to make sure that the payment card data of your customers remains secure.

Some History

The war between criminal gangs and the payment industry has been raging for some time. In the early days and now, criminals stole cardholder data from internet-connected point-of-sale (POS) systems to make their own fraudulent transactions. The payment industry responded to this type of attack by creating the Payment Card Industry (PCI) Data Security Standard (DSS). It outlined the security measures that should be in place to protect payment card data from criminals.

With merchants now more security savvy, they set out to bolster their POS systems against attacks. Criminals then sought out the locations where merchants stored cardholder data. However, merchants eventually got rid of such legacy data stores and selected PCI DSS technical controls to bolster security in locations where payment card data was now sorted and managed. Criminals went back to the drawing board.


This back-and-forth between criminal gangs and the payment industry continues to this day. Even as technology evolves favoring merchants, criminals always seem to bounce back with a new modus operandi  — indeed, they have moved on from attacking merchants directly to skimming card data from the consumer browser.

Cybersecurity practices  have come on in leaps and bounds in the last decade. Ecommerce merchants now typically send payment data from the customer’s own browser directly to the payment processor. This leaves the consumer’s browser as the most target-rich zone for cybercriminals.  

These attacks are largely invisible to both the cardholder and the merchant, so criminals are still successful  with them. Widely reported examples of such attacks include Macy’s where huge numbers of customers were notified that their cardholder data had been stolen.  Ecommerce skimming attacks still make up  the bulk of attacks against payment card data.

The JavaScript Conundrum

Modern web pages rely heavily on the scripting language known as JavaScript. It fuels the  interactive web experience we all enjoy today. And whilst JavaScript brings interactivity to a website, it also enables that interactivity to be malicious. If a criminal wants to skim data from a consumer’s web browser they merely have to get the consumer’s browser to load and execute their own JavaScript. Once installed, criminals have access to everything that is entered by the consumer. Keystroke information revealing payment card data can be quietly sent to a criminal server located anywhere.

So how do criminals accomplish this malicious upload? Well, they can either directly attack the infrastructure of the merchant, or they can hijack third parties that the merchant relies on to provide JavaScript to the consumer browser. It is common these days for a high percentage of ecommerce website scripts to be constructed from third-party suppliers — greatly increasing the number of locations that criminals can use. By compromising just one of these locations, their malicious payload can be added to the JavaScript loaded by the browser of the target merchant’s customer.

Standards to the Rescue?

The payment card industry has not sat still in the face of the threat of attack by criminal gangs. Their security standard (PCI DSS) is a contractual baseline for anyone that wants to accept payment cards, and is revised regularly to take into account both technological change and criminal attack methodology.

The latest iteration includes two requirements that are designed to curb the rise in skimming attacks. The first new requirement sets out to reduce the number of places that criminals are able to add malicious scripts. Merchants need to authorize and minimize the number of individual scripts that are loaded on payment pages and record all of this information within an inventory.

The second requirement relies on detection — a solution that can quickly detect malicious actors. It relies on making sure that merchants are alerted when new or changed scripts are detected in the page where the consumer enters their cardholder data. In this way, the merchant is able to validate the integrity of any new or changed script. 

The new version of PCI DSS will give the advantage to merchants in their ongoing battle against cybercriminals. Better standards and improving technology are efficient weapons to thwart criminals in their endeavors. History has shown that when a new standard is released (and industry adopts the requirements accordingly), classes of criminal attacks are significantly reduced. This is positive news, but we can never rest against an enemy who is always looking to change tack.

John Elliott specializes in regulated security and data protection. He’s represented both Visa Europe and Mastercard on the PCI Security Standards Council and contributed to many of the PCI standards, including most recently PCI DSS v4. Elliott has led aviation and financial services InfoSec and data protection functions and has recently embraced the role of Security Advisor at Jscrambler.

Feature Your Byline

Submit an Executive ViewPoints.

Featured Event

Join the retail community as we come together for three days of strategic sessions, meaningful off-site networking events and interactive learning experiences.


Access The Media Kit


Access Our Editorial Calendar

If you are downloading this on behalf of a client, please provide the company name and website information below: