Formjacking and PCI 4.0: What it is and why you should care

What is Formjacking?

Also known as web skimming, e-skimming, or a magecart attack, formjacking is a technique that allows hackers to spy and capture sensitive data, like credit card information, from users on a legitimate web page.

What’s most insidious about formjacking is that these attacks don’t interrupt the submission or downstream processes. In other words, a customer could complete a transaction on a retailer’s website without knowing that the theft occurred. 

How does formjacking work?

A web page is composed of a few different types of code. HTML code lays out the structure and content of the webpage, CSS defines its appearance, and scripting languages, such as JavaScript or PHP, add interactivity. A hacker inserts a script directly into a page’s HTML code or a standalone file.

Formjackers inject malicious scripts into the code of a web page via some means, like exploiting a cross-site scripting (XSS) or remote code execution (RCE) vulnerability or gaining access to the web server or development environment. Regardless of the “how,” the attacker then adds a malicious script to the web page. The rest is a waiting game. 

When a user enters their payment card information into the checkout page, the formjacking code executes, collects these details, and sends them to an attacker to use or sell them to others.

Case Study: British Airways and the Magecart attack

Many refer to formjacking is also referred to as a Magecart attack. Named after one of the most prolific and successful distributors of formjacking malware, Magecart, the technique took center stage in 2018 when one of the group’s malicious software was used in British Airways. The attack affected approximately 380,000 customers and would go on to make history as the largest General Data Protection Regulation (GDPR) fine assessed to date: $200 million. (This was later reduced to around $26 million in 2020.)

The breach began with a supply chain attack against a third-party provider that enabled attackers to access the British Airways network and modify the source of the payment page. Once modified, the attackers injected the malicious code and sent card details to a secure server they owned.

Protecting against formjacking attacks on payment pages with PCI 4.0

The Payment Card Industry Data Security Standards (PCI DSS) outlines protection requirements entities must meet to store, transmit, or process card payments. While the burden of PCI can be pretty heavy, it’s hard to argue its role in building the trust needed for consumers to transact online safely. Failure to comply can lead to heavy fines, reputational loss, and denial of processing services.

As such, updates to PCI DSS force companies to implement security protections that might otherwise get deprioritized. The new PCI DSS 4.0 version was rolled out earlier this year. It takes direct aim at the security gaps formjacking exploited in the British Airways attack (and by extension in version 3.2.1) by introducing two new sub-requirements. 

1. Requirement 6.4 aims to protect the payment page's integrity by requiring controls to prevent attacks and remove the possibility of unauthorized scripts running on the payment page.

2. Requirement 11.6 aims to detect and respond to unauthorized changes made to the payment page by requiring controls to monitor and alert for changes to the payment pages.

If you’re a payments page owner, both will require some validation during your annual assessment when it comes into force in March 2024.  

Companies can take steps today to protect themselves formjacking and achieve PCI 4.0 compliance by:

• Using hosted iFrames solutions: Collecting sensitive data with specialized forms hosted and generated independently from your website is one of the most popular ways to de-risk yourself from formjacking. This approach protects malicious scripts on your webpage from seeing or capturing the sensitive information provided by a customer. 
• Monitoring changes to the payment page: To deploy an e-skimmer, a formjacker must add malicious code to an organization’s website. Monitoring website code for unauthorized changes and implementing strong change management practices can help with rapid detection and remediation of attempted attacks.
• Scan systems for vulnerabilities: Attackers commonly gain the access needed to install e-skimmers by exploiting XSS and other vulnerabilities. Companies can shrink the window during which an attacker can exploit by regularly performing vulnerability scans and promptly installing patches and updates when they become available.
• Scan payment pages for vulnerabilities: Webpage code should undergo regular scans in both development and production environments. In addition to identifying vulnerabilities that require remediation, these scans may also detect malicious code introduced into a web application or its dependencies.
• Monitoring networks: Formjackers commonly perform requests to attacker-controlled websites to deliver collected payment card information. Monitoring for anomalous network traffic can help with identifying an active e-skimmer.

It is also essential to have processes to detect and remediate an active attack. For example, a company may choose to monitor the Dark Web via a tool such as Cybersixgill for discussions or credential sales that indicate an ongoing e-skimmer infection.

Third-party service providers and formjacking

Security requires continuous and significant costs but does little to nothing to differentiate a company’s core product. This “cost-center” approach has often left “doing the right thing” underfunded and deprioritized, setting companies up for serious security risks, compliance costs, and reputational loss. 

Instead of fighting this reality, companies have begun leaning into it by using a new breed of third-party service providers (TPSP) to remove up to  99% of the effort required to build and maintain their in-house system and program. Services, like Basis Theory, offer the 1) capabilities to collect cardholder data (like hosted iframes), 2) PCI-Level 1 compliant infrastructure to securely store it, and 3) a developer platform to interact with it. This allows companies to continue daily operations without disrupting existing workflows or exposing themselves to additional compliance burdens. 

More importantly, as zero-day exploits or new compliance requirements emerge, TPSPs address the necessary gaps with no-to-little effort from their customers. This ensures data has a strong continuous compliance and security posture without disrupting an organization’s roadmap.

Learn how to set up a PCI Level 1-compliant environment and protect your customer data in less than five minutes using our PCI Blueprint.