The digital payment ecosystem is under constant attack, and a recent campaign exploiting a legacy Stripe API has brought a new level of urgency to securing payment pages. Cybercriminals used this API to validate stolen credit card details, combining it with malicious scripts injected into payment pages to skim sensitive data. This attack highlights the evolving sophistication of skimming campaigns and the critical need for compliance with PCI DSS Requirement 6.4.3.

The Attack: A Wake-Up Call for Payment Security

In this campaign, attackers exploited a legacy Stripe API to validate stolen card details in real time. By injecting malicious JavaScript into payment pages, they were able to skim sensitive payment information directly from users. This attack was particularly dangerous because it could evade detection by only exfiltrating valid card data, ensuring the stolen information was immediately usable.

This incident underscores the vulnerabilities that can arise when legacy APIs and unsecured client-side scripts are not properly managed. It also demonstrates why the PCI DSS v4.0 Requirement 6.4.3 is a game-changer for payment security.

What is PCI DSS Requirement 6.4.3?

PCI DSS Requirement 6.4.3, introduced in version 4.0 of the standard, focuses on securing client-side scripts that execute on payment pages. It requires organizations to:

• Maintain an inventory of all scripts running on payment pages.
• Justify the necessity of each script.
• Implement controls to ensure that only authorized scripts are loaded and executed in the consumer’s browser.

This requirement is designed to address the growing threat of JavaScript-based skimming attacks, like the one targeting the Stripe API. By enforcing tighter controls over client-side scripts, businesses can significantly reduce the risk of such attacks.

Why Compliance is Non-Negotiable

The consequences of non-compliance with PCI DSS can be severe. Beyond the risk of data breaches, businesses face potential fines, reputational damage, and loss of customer trust. The recent Stripe API attack is a stark reminder of the importance of securing payment pages and adhering to the latest security standards.Even if you use a PCI-compliant payment processor like Stripe, your organization is still responsible for addressing potential gaps in your security posture. As noted in Stripe’s own documentation, businesses must ensure that their integration and client-side scripts meet PCI DSS requirements to avoid vulnerabilities.4.0 compliance becoming mandatory in 2025, now is the time to act.

You can read more about this story here.