Jscrambler Launches JavaScript Scanner for PCI DSS 4.0 Compliance

Jscrambler has released a free tool to help companies check the JavaScript code running on their e-commerce sites and bring them into compliance with the latest PCI DSS (Payment Card Industry Data Security Standards) version 4.0.

PCI Security Standards Council released PCI DSS v4.0 in March 2022 and began a two-year phaseout of the previous versions before beginning enforcement. By March 31, 2025, all retailers and e-commerce sites – anyone who handles payment cards online, really – will need to be in compliance with these requirements. Jscrambler's PCI DSS JavaScript Compliance Tool helps organizations assess whether the JavaScript on their e-commerce sites meet to two v4.0 requirements: protection against (6.4.3) and detection (11.6.1) of skimming attacks on all scripts from a merchant or its third- and fourth-party contractors.

Section 6.4.3 requires that companies confirm that each script is authorized, ensure the integrity of the scripts, and maintain a complete inventory that explains why each script is necessary. Section 11.6.1 applies to merchants that include a third party's iframe payment form on their websites; it compels an evaluation of the HTTP header and payment page periodically (usually every seven days) that looks for and notifies the merchant about any changes to the page.

The anti-skimming requirements are necessary because attackers are launching Web skimming campaigns by injecting malicious code into Magento, WooCommerce, Shopify, and WordPress sites. Magecart skimmers have been found on 2 million websites, including those of Ticketmaster and British Airways.

The Jscrambler tool searches for and collates all scripts on a merchant's site, performing script verification and authorization, and then logging the results, including compliance status. It visualizes each script, highlighting actions that are considered suspicious, analyzes scripts for function and generates justifications for using each. Alerts are triggered if scripts are tampered with, the contents of the payment page are changed without authorization, and the HTTP header is altered. All of these functions reduce manual compliance efforts and assist in generating audit-ready reports, the company said.