Third-party scripts in e-commerce websites: is payment data at risk?

Digital skimming attacks targeting eCommerce websites and third-party scripts are common. Is payment data at risk? No, if your JavaScript is protected.

These high numbers of fraud, data leakages, and other data skimming attacks occurred because of unprotected JavaScript running on the payment page. More than 99% of all websites use JavaScript in some form, as it serves many purposes. Some directly and others via a third-party vendor.

JavaScript powers the web because of its versatility. It provides a form to collect data, enables functionality like tag managers or content management systems, or can be used to build the entire website. Because it is pervasive, the Jscrambler security team wanted to explore the impact of this third-party code (in scripts) present on e-commerce websites.

Most organizations don’t have visibility into the third-party JavaScript that loads at runtime on their website. This massive blind spot can lead to stolen data, loss of revenue and reputation, and heavy fines.

Why is the research about Third-Party risk on E-commerce websites important?

The main goal of the research is to highlight the importance of having visibility and control over the scripts that are present on the payment pages, especially on e-commerce websites.

Popular e-commerce sites in North America and Europe were selected for analysis to understand the scope of the problem and potential points of failure. We looked at the number of scripts on the payment pages controlled by third parties.

Examples of third-party applications targeted by attackers

• Live chatbots;

• Advertising scripts;

• Marketing tags;

• Marketing forms;

• Open source code libraries;

• Other elements loaded by the user’s browser.
  
  

Research results, developed by Jscrambler

Our findings indicate that the possible attack surface is huge unless these sites find a way to identify, monitor, and control the behavior of third-party Scripts.

For these reports, 20 highly trafficked e-commerce websites with more than $50 million in revenue were selected. They are from diverse industries, including health, personal care, retail, groceries, home goods, consumer electronics, and airlines.

The data collected focused on the payment pages. All data was collected using Jscrambler’s Webpage Integrity, a holistic solution to detect and block, in real-time, malicious behavior on the client side of web applications.

Highlights

Consider the potential damage if even one script is compromised; now multiply that by 100. Some of these e-commerce companies register hundreds of third-party scripts on their payment pages. We are witnessing a level of risk that demands action.

Third-Party Risk in Top 20 US E-Commerce Websites

• 60% of the analyzed websites have more than 10 different vendors on their payment pages.

• On average, 148 scripts are being loaded on the payment page; of these, 58% are third-party.

• One of the analyzed websites did not allow the retrieval of data.
  

Third-Party Risk in Top 20 EU E-Commerce Websites

• 80% of the analyzed websites have more than 10 different vendors on their payment pages.

• On average, 132 scripts are loaded on the payment page, and of these, 97% are third-party.

• All websites allowed the retrieval of data.

In general, it’s important for website owners to carefully consider the use of third-party scripts and to only include those that are necessary for the website to function properly.

Implementing an automated client-side security solution will help in the process of continuously monitoring these “foreign” scripts. Such a solution can also help the website comply with mandatory or recommended regulations.

Preventing Digital Skimming Attacks: What Should Be Done?

Companies need to adopt a proactive approach to client-side security, restricting the behaviors of website scripts to prevent them from tampering with forms and/or leaking sensitive data.

The dynamic nature of the web and JavaScript itself, and because there’s so much sensitive data being handled on the client side, demands that security can’t be treated as an afterthought.

Jscrambler's Approach to Client-Side Security

Jscrambler’s Webpage Integrity (WPI) is a holistic solution to detect and block, in real-time, unauthorized behavior on the client side of web applications.

It prevents the leaking or scraping of sensitive data and protects against web supply chain attacks. WPI also addresses both of the new requirements in PCI DSS version 4.

The PCI DSS v4 New Requirements and Client-Side Security

Regulations and standards that aim to protect Personally Identifiable Information (PII) are becoming increasingly prominent, especially regarding the protection of payment pages.

The Payment Card Industry (PCI) Data Security Standard (DSS) emerges as a highlight standard for all organizations that store, process, or transmit payment card data, and its latest version, 4.0, was released in March 2022. It has 64 new requirements that organizations seeking compliance must fulfill.

To curtail skimming (Magecart) attacks, two of these requirements focus on the integrity of pages where payment is taken. These are:

• Requirement 6.4.3 demands that entities manage the JavaScript on payment pages. All JavaScript must be detailed in an inventory, be necessary for the payment page, be approved, and have its integrity assured.
  
  

• Requirement 11.6.1 requires changes to scripts and page headers to be detected on payment pages, and the appropriate alerts generated.

E-commerce companies need to focus on gaining visibility into the JavaScript that’s loaded into their web pages because the risk of each third-party script shouldn’t go unnoticed. Each malicious script should be blocked and deactivated.

Try a free trial to gain visibility over your E-commerce website scripts with Jscrambler's Webpage Integrity solution.

Learn more about how Jscrambler can help you effectively manage third-party risk, mitigate payment data risks to your organization, and defend your business from client-side attacks.