top of page
  • Writer's pictureKelsie Papenhausen

Jscrambler Achieves PCI DSS Version 4.0 Compliance

Jscrambler’s External Assessment Reinforces Commitment to Client-Side Protection and Providing Secure Environments as a Trusted PCI Service Provider     


PORTO, Portugal, Tuesday, December 19th, 2023--Jscrambler, the pioneering platform for client-side protection and compliance, today announces it has been assessed as compliant with PCI DSS v4.0  following an external assessment by Advantio, a leading Qualified Security Assessor (QSA), signifying the high-security standards Jscrambler’s platform and environment meets. This achievement, ahead of the April 1st, 2024 deadline for meeting the new standard underpins Jscrambler’s dedication to protecting its customers' sensitive data and ensuring the security of their financial transactions. 


To be assessed as compliant with PCI DSS, companies must demonstrate the ability to protect both their assets and their clients. While Jscrambler does not store, process, or transmit cardholder data, Jscrambler does provide an agent that is present on customer payment pages. Service providers that can affect the security of cardholder data are considered in the scope of PCI DSS v4.0. 


“We believe that ideally, every location where a browser loads JavaScript on the payment page should undergo a service provider assessment because that JavaScript can be compromised to leak payment card data,” explains Rui Ribeiro, CEO and Co-founder, Jscrambler. “As a service provider to merchants who have PCI DSS obligations, we are focused on creating a secure environment for our customers' financial transactions and their business. This means not only understanding and helping them to meet compliance mandates but also having full confidence in our ability to meet the requirements as well.”


He continued: “Everyone that plays a role in the payment’s ecosystem, and the solutions and applications that process these payments, have a shared responsibility in securing transactions so that the consumers can have confidence that their data and privacy are taken seriously. Whether you are a solution vendor, service provider, PSP, or merchant, it is imperative that you take the appropriate measures to validate the security of, and mitigate any risks associated with, online payments and payment pages.”


The Payment Card Industry Data Security Standard (PCI DSS) is a global standard that provides a set of requirements for protecting Cardholder Data. Version 4.0 represents the state of the art in terms of cyber security and demonstrates a commitment to ensuring the protection of customer’s data. The requirements listed in PCI DSS v4.0 will mandate that the businesses that handle (store, process or transmit) or who could affect the security of payment data implement a set of controls (technical, physical and human) to protect such data. PCI DSS compliance must be renewed annually to ensure continued compliance with the security standard. This is an ongoing commitment that reflects dedication to data protection and transaction security. 



New PCI DSS v4.0 Requirements Attempt to Mitigate Expanding Surface Area Risk


JavaScript has become the building block of nearly every modern-day web page. While it can serve many purposes, it can also deliver unprecedented and sometimes unseen security risks that last for months, should it not be monitored properly. The introduction and widespread use of third-party JavaScript is one example, as online businesses increasingly struggle to maintain complete visibility and control over these scripts. Earlier this year, Jscrambler found that 80% of the 20 most highly trafficked US  e-commerce websites had an average of 148 JavaScripts on their payment pages. For these reasons and more, PCI DSS has included specific requirements (6.4.3 and 11.6.1) designed to minimize this increasing attack surface area, manage all JavaScript executing on payment pages, and detect any tampering or unauthorized changes to the payment page that can result in leaking of the cardholder data. 


Jscrambler is fully committed to PCI DSS, with its Co-founder and CTO, Pedro Fortuna, serving as a member of the PCI SSC Board of Advisors and recently having been added as a Principal Participating Organization. With Jscrambler having been externally assessed as compliant with PCI DSS v4.0, clients of Jscrambler can reliably utilize the Jscrambler Client-Side Protection Platform to both protect cardholder data that is entered into a customer’s web page from skimming attacks and to meet the PCI-DSS v4.0 requirements 6.4.3 and 11.6.1. These new requirements are currently considered ‘best practice’ until April 2025 when they become mandatory. Implementing the new requirements will ensure that merchants can prevent and detect unauthorized changes to JavaScript code. For this reason, service providers and merchants must prepare for PCI DSS v4.0 as they can impact the security of the cardholder data environment (CDE). 


To find out more about the potential impacts of first and third-party JavaScript on payment pages, read Jscrambler’s most recent blog post, Are Non-PCI Compliant Scripts Putting Your Business at Risk?


Customers, prospects, and partners may receive the Jscrambler Attestation of Compliance (AOC) report upon request by contacting their account manager.


The QSA company in charge of this project has been Advantio, an Integrity360 company, with over ten years of experience providing PCI consultancy and formal validation services worldwide via a large team of multilingual subject matter experts.

 

"Jscrambler offers a robust security solution, setting a high standard and expecting nothing less. We believe that merchants and service providers utilizing Jscrambler will find it effortless to maintain the integrity of their websites without compromising functionality," said Manuel Fernandez, Regional Sales Director, Advantio, an Integrity 360 company. "We highly recommend every service provider delivering a script on a merchant's site to consider the potential impact on the Cardholder Data Environment. Compliance with PCI DSS version 4.0 is imperative for ensuring a secure environment."


Additional Resources

About Jscrambler 

Jscrambler is the leading Client-Side Protection and Compliance Platform. We were the first to merge advanced polymorphic JavaScript obfuscation with fine-grained third-party tag protection. Our integrated solution ensures a robust defense against current and emerging client-side cyber threats, data leaks, misconfigurations, and IP theft, empowering software development and digital teams to innovate securely. The Jscrambler Code Integrity product safeguards first-party JavaScript through state-of-the-art obfuscation and exclusive runtime protection. The Jscrambler Webpage Integrity product mitigates threats and risks posed by third-party tags all while ensuring compliance with the new PCI DSS v4.0 standard. With Jscrambler, businesses adopt a unified, future-proof client-side security policy all while achieving compliance with emerging security standards. Trusted by digital leaders including Netflix, SAP, Electronic Arts, Canal+, Gap, and Swisscom, Jscrambler gives businesses the freedom to innovate securely.

Comments


bottom of page