Web skimming, PCI 4.0, and eCommerce merchants: Everything SaaS companies need to know

Updated on May 22, 2024

thief behind computer

When it comes to the realities of data breaches in 2024, eCommerce merchants are predominantly being attacked. And because most breached merchants do not publicize their compromises, many small and medium sized businesses (SMBs) are unaware of this looming threat.

Sadly, when it comes to a data breach, it’s not a matter of if, but when. We don’t share this sentiment to scare you, but rather to inform and prepare you for the changing PCI 4.0 eCommerce requirements, so you can do the same for your customers.

Short on time? Here are key takeaways:

  • Data breaches are on the rise, particularly for SMBs.
  • PCI DSS 4.0 includes more stringent controls to help protect SMBs against rising online payment fraud.
  • Payrix partners can help protect and prepare their SMB merchants for PCI DSS 4.0 with SaferPayments, a Worldpay product.

Cyber criminals are launching sophisticated attacks on SMBs, where in most cases, the impacted merchants don’t know they’ve been compromised until someone outside of their organization has notified them.

According to the latest Cost of Data Breach report by IBM, in 2023, the average time to identify a breach was 204 days (or 6+ months) and the average time to contain a breach was 72 days (or 2+ months). When a breach can take months to identify and contain, all cards being accepted by a merchant are likely at risk.

As your merchants trusted software provider, it is your duty to help them adhere to good data security practices, such as those outlined in PCI DSS, to help them understand and prevent cyber-attacks and other compromises from happening in the first place. Protecting customer payment card information from unauthorized use, exposure, and potential fraud is key in delivering the trust your merchants and their cardholders expect.

In this blog, we walk you through the changes to the Merchant SAQ A in PCI 4.0. These additional requirements were added to reflect the changing risk landscape and better protect eCommerce SMBs from potential compromises, like web skimming. Some of the requirements go into effect in 2024, and others must be met by 2025, so ensuring you and your merchants are up to speed is business critical.

What is web skimming?

Web skimming is when an attacker compromises a third- or fourth-party vendor and adds malicious code with skimming functions to third- or fourth-party script. When the consumer or cardholder loads their browser, JavaScript executes simultaneously. This is undetectable to the naked eye, as the consumer will see the merchant’s payment page. However, behind the scenes, the card data is being copied and sent to the attacker along with the payment service provider.

Web skimming attacks are compromising eCommerce merchants frequently, even though it is not openly discussed. Matters are further complicated, because most eCommerce sites are outsourced and therefore, the merchant does not have direct control over the payments page. As a result, some merchants believe there is nothing they can do to protect themselves from a breach, but Payrix and Worldpay urge against this frame of thinking.

We’re seeing exactly this scenario where it seems like since you don’t have the checkout page, you’re not controlling the frames that are actually collecting the card data, there’s not a whole lot you need to do. But in reality, there are some basic controls that you need to put in place on this environment to protect against this type of attack. And we’ve seen it with a number of our SaaS company partners with host to checkout implementations but they’re still getting attacked. Judy Haggerty Compliance Analyst II, Payment Data Security at Worldpay

eCommerce impacts: A closer look at PCI DSS 4.0 SAQ A requirements

PCI DSS 4.0 includes more stringent controls to help protect SMBs against rising online payment fraud.

The latest SAQ A requirements outlined in PCI DSS 4.0 are designed to properly protect merchants that wholly outsource all data functions (including eCommerce) to a software provider, such as yourself. The payment set up may look like a URL redirect or iFrame integration.

URL redirects and iFrame integrations are considered in scope for PCI DSS because they can have an impact on how payment card data is being transmitted and processed by the payment service provider. Therefore, it’s essential to protect this infrastructure with the appropriate controls.

Merchants (or software companies managing eCommerce infrastructures on a merchant’s behalf) need to ensure the SAQ A requirements are in place to ensure adequate compliance. Remember, these new requirements are intended to better protect eCommerce websites and SMBs from the threat of web skimming attacks.

PCI DSS 4.0 – SAQ A: Requirements applicability

To web servers integrating URL redirect and iFrame, Requirements 2, 6, 8, 11, and any that refer to the cardholder data environment or CDE are required.

The following requirements are already in place and applicable:

  • Requirement 2: Manage vendor default account(s) and passwords
  • Requirement 6: Vulnerability (security patch) management
  • Requirement 8: Identification, password/authentication, and account management requirements for non-consumer users and administrators

The following requirements must be met by March 31, 2024:

  • Requirement 6: Security vulnerability identification and risk ranking
  • Requirement 8: Password/passphrase management and length requirements
  • Requirement 11: External vulnerability scanning: ASV scans at least every 3 months, and scans after significant change

The following requirements must be met by March 31, 2025:

  • Requirement 6: Manage payment page scripts loaded and executed in the consumer browser
  • Requirement 8: Minimum 12 character (8, if not supported) alphanumeric passwords/passphrases
  • Requirement 11: Change- and tamper-detection mechanism to detect and alert on unauthorized modification to payment pages as received by the consumer browser

These requirements are always applicable to the merchant:

  • Requirement 3: Protect stored account data
  • Requirement 9: Secure media with account data
  • Requirement 12: Information security policy, manage service providers, incident response plan

This is not an exhaustive list of the new PCI DSS 4.0 requirements for merchants. If you’d like to delve deeper into PCI DSS 4.0, we have curated some helpful resources for you here.

Helpful PCI DSS resources for you to explore 

Protect and prepare your SMB merchants for PCI DSS 4.0 with SaferPayments 

PCI compliance, web skimming, and data breaches present serious and involved work for merchants. As their day-to-day management software platform of choice, you can help deepen your relationship with your merchants and help them validate PCI compliance more efficiently and effectively with purpose-built security tools.  

Take SaferPayments, for example. SaferPayments is a Worldpay product that has been adopted by thousands of merchants using Integrated Payments and independent sales organizations (ISOs) for many years. Today, software companies that partner with Payrix can offer this robust security product offering to their merchants, so they can ensure PCI compliance and prevent data breaches and fraud attempts. SaferPayments offers unique security tools and expert support that can help your merchants uncover risks, complete their PCI attestation, and reduce liability with ease. Learn more about our payment processing solutions and simplifying PCI with SaferPayments.

Discover how SaferPayments can help you stay up to date with PCI compliance

Payment experiences designed for your software

Unleash powerful Embedded Payments technology that delivers on a better experience.