Rupesh Chokshi is Senior Vice President and General Manager of Akamai‘s Application Security Portfolio.
For businesses that handle payment card data, there’s a big deadline looming: March 31, 2025. That’s the date by which they are required to comply with all requirements of the latest version of the Payment Card Industry Data Security Standard, PCI DSS 4.0. Many of the updated requirements call for significant improvements in the area of application security, including application programming interfaces (APIs) and JavaScript applications.
PCI DSS is the global standard focused on strengthening payment card data security online. Why the update? While credit and debit cards have long been indispensable financial tools for consumers, they have recently become prime targets for bad actors seeking personally identifiable information (PII) they can sell or use to commit fraud.
PCI DSS 4.0 includes a number of important new requirements designed to meet today’s security challenges. With the deadline for compliance approaching, now is the time to ensure your protection checks all the boxes.
A Changing Threat Landscape
While payment cards have been around for eons, the threat landscape surrounding them has changed dramatically in recent years. With online commerce eclipsing brick-and-mortar shopping, retailers have deployed online services that rely on vast numbers of APIs to enhance the customer experience and support online transactions.
Increasingly, bad actors are employing a range of tactics to exploit API vulnerabilities in order to gain access to sensitive data. Indeed, our research at Akamai revealed that nearly 30% of web attacks in 2023 targeted APIs. Gartner predicts that API abuses and related data breaches will nearly double in 2024.
JavaScript represents another key area of vulnerability. An entire industry has grown up around web skimming with JavaScript. There are numerous publicly available tools for extracting data from website code. While these may be used for legitimate data analysis purposes, malicious skimmers that hide their identity are used to extract data for nefarious purposes.
These client-side attacks can skim payment card data from online checkout pages through malicious code injection in the browser. In 2022, 81% of large online retailers reported that their organizations were targeted by suspicious script behavior.
As these attacks become more prevalent, the perpetrators and their tactics have become increasingly sophisticated and difficult to detect—until they’ve already harvested the data.
The New PCI DSS Requirements
PCI DSS 4.0 includes 12 core data security requirements designed to keep pace with today’s cyber threat environment while promoting security as a continuous process.
To address the threats involving APIs, organizations will now be required to detect and mitigate suspicious API behavior and abuse, log API activity and implement responsive API protection measures. They must also identify and list all custom software, including third-party software, that they use. In total, there are at least eight sections of PCI DSS 4.0 dedicated to API security requirements.
There are also new requirements devoted to JavaScript security. Organizations will be required to ensure that public-facing web applications are protected against attacks and maintain an inventory of all Javascript executing on payment pages, with written justification for their necessity. In addition, unauthorized changes on payment pages must be detected and responded to, with change- and tamper-detection mechanisms that alert personnel to unauthorized changes.
These new requirements build upon the existing PCI DSS framework, which focused largely on controlling access to payment card data.
Meeting The Security Burden
Achieving and maintaining compliance with PCI DSS 4.0 requires a comprehensive approach to application security and protection.
Having full visibility into your landscape of APIs and your client-side attack surface through continuous monitoring is essential to protecting against potential vulnerabilities. Implementing secure API coding, testing and validating practices and performing regular security training for developers are other critical best practices.
In addition, organizations must have the ability to monitor, detect and respond to suspicious API and JavaScript behavior in real time. All of these capabilities will need to be in place by the March 2025 deadline.
With so many new requirements, will your organization have the bandwidth to implement protection and mitigation strategies in time to meet the compliance deadline? Will you build or buy a solution? How will the new standard affect your operations? What ability will you have to ensure ongoing risk mitigation? Partnering with experts in application security, including API and client-side protection, can help you meet the challenge of PCI DSS compliance while strengthening your defenses.
As the PCI DSS 4.0 deadline approaches, it’s important to remember that it’s not just about compliance—it’s about safeguarding your customers’ data and your company’s valuable reputation. With API and JavaScript-based attacks occurring every day, there’s not a moment to lose.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
