Source Defense Releases Free Platform Directly Addressing New PCI DSS 4.0 Requirements

Solution provides millions of merchants with the ability to easily go above and beyond complex new requirements for website security and monitoring designed to combat data theft and leakage. PCI Qualified Security Assessors (PCI QSAs) and security assessors also now have a free solution for proactively assessing gaps in compliance for their clientele.


NEW HAVEN, Conn. and ROSH-HA’AYIN, Israel and GRAPEVINE, Texas, June 06, 2023 (GLOBE NEWSWIRE) -- Source Defense, the pioneer and market leader in web application client-side protection and data privacy compliance, today announced the immediate availability of a free solution to address strict new requirements for website security and monitoring found in version 4.0 of the Payment Card Industry Data Security Standard (PCI DSS 4.0). Unveiled during the National Retail Federation (NRF) Protect event, this new platform gives merchants of all sizes, and across industries, the ability to assess, continually monitor and demonstrate compliance with sections 6.4.3 and 11.6.1 within PCI DSS 4.0. As well as direct requirement coverage, the platform offers assessors additional intelligence and support for their PCI DSS assessment lifecycle, including enrichment to vulnerability and gap analysis, integrity analysis, penetration testing, and security risk assessment. Registration for the platform is available here.

Specifically, merchants and assessors using this free Source Defense platform will be able to:

  • Inventory – provide an inventory of every script running on their payment pages, including a method for monitoring for and tracking any additions (required under PCI DSS 4.0 – 6.4.3)
  • Justification – provide a mechanism for seeking, documenting and managing justification of any scripts on payment pages (required under PCI DSS 4.0 – 6.4.3)
  • Integrity monitoring – address the stringent requirement for weekly integrity monitoring of HTTPS headers and scripts found on payment pages (required under PCI DSS 4.0 – 6.4.3)
  • Alerting and blocking – alert to suspicious and malicious activity found within scripts on payment pages, feed alerts to security teams for blocking (required under PCI DSS 4.0 – 11.6.1). Automatic blocking of malicious behavior is also possible in broader Source Defense deployments.
  • Reporting and Enrichment – feed findings with one-click reporting to other elements of the PCI assessment lifecycle such as vulnerability analysis, integrity analysis, penetration testing and security risk assessments

The new requirements in PCI DSS 4.0 were added in response to the growing and persistent threat of Magecart/eSkimming/Digital Skimming attacks over the past few years. Visa’s Spring 2023 Biannual Threats Report highlighted the severity of this issue, pointing to a 176% increase in these attacks in the 6-month period analyzed. These attacks represent a major third-party supply chain risk which has led to materially adverse impact on thousands of companies over the past decade. One of the largest and least quantified business vulnerabilities lies in website use of client-side JavaScript. Client-side code, delivered in real-time by third-party (as well as fourth and nth party) supply chain partners, helps drive and enhance the website user experience, increase engagement, and drive analytic insights. Typical web properties rely on as many as fifty of these supply chain partners. As this supply chain is composed entirely of unmanaged and unprotected shadow code, website owners are unaware of both the normal and potentially malicious behavior these partners introduce in every web session.

In a “best-case” scenario, this shadow code introduces the potential for data privacy compliance violations due to unauthorized capture and sharing of data. In the worst-case scenario, it effectively acts as the soft-belly for adversaries on any modern website. Source Defense prevents more than 9 billion policy and security violations per year for its clients alone. Extrapolating that data to the millions of websites that remain unprotected around the world, the risk is both ubiquitous and staggering in nature.

“We exist to put an end to the theft and leakage of sensitive data from modern websites,” said Ross Hogan, Chief Executive Officer at Source Defense. “Our mission could not be more important at current, as this problem is ubiquitous across the world. We have a commercial solution to the problem which is simple, effective and places virtually no additional burden on already burdened Security teams. It only seems right that we make a free version of this solution available to help organizations not only comply with PCI DSS 4.0 – but get on a path to stopping data theft and leakage outright.”

This free PCI DSS 4.0 compliance solution can be found at the Source Defense website by following this hyperlink.

About Source Defense
Source Defense is a security and data privacy compliance platform for any website that collects sensitive data or is transaction oriented. It addresses a ubiquitous gap in the management of third-party digital supply chain risk with a model that extends security beyond the network to the client-side. As the market leader in web application client-side protection, Source Defense provides real-time threat detection, protection and prevention of vulnerabilities originating in JavaScript. The patented Source Defense Platform offers the most comprehensive and complete solution to address threats and risks originating from the increased use of JavaScript, third-party vendors, and open-source code in websites today. Source Defense solutions are deployed by leading Fortune 500 enterprises in the Financial Services, Retail, eCommerce, and Healthcare markets. Headquartered in Israel with branches across the US and a strong community of global valuable partnerships, Source Defense is the most innovative, reliable, and trusted partner in the fight against website data theft and leakage.

Stephen Ward 
steve@sourcedefense.com 
+1-703-994-9349