Akamai introduces new capabilities to simplify PCI DSS 4.0 compliance for organizations

Akamai has introduced new capabilities to its Client-Side Protection & Compliance product that are designed to help organizations ensure compliance with PCI DSS 4.0 JavaScript security requirements 6.4.3 and 11.6.1.

The Payment Card Industry Data Security Standard (PCI DSS) was developed to encourage and enhance payment card data security as well as facilitate the broad adoption of consistent data security measures globally.

The latest update of PCI DSS (version 4.0) was released in 2022. The standard becomes effective in March 2024, with full enforcement of requirements in March 2025. It includes several new security requirements and updated guidance to address current threats and technologies. Any organization processing, storing, or transmitting payment card information online must comply.

New PCI DSS 4.0 requirements 6.4.3 and 11.6.1 outline the need for businesses to protect against harmful client-side web skimming attacks that steal sensitive end-user data from within the browser by exploiting JavaScript supply chain vulnerabilities. These attacks, such as Magecart, continue to grow in sophistication and impact digital commerce.

To comply with the new standard, organizations must now know what scripts are loading and executing on the payment pages of their website, what actions those scripts are taking, and when those scripts change.

Akamai Client-Side Protection & Compliance (formerly Page Integrity Manager) provides extensive visibility into the client-side attack surface to protect against end-user data exfiltration and shields websites from JavaScript threats.

It detects malicious script behavior in real time and delivers actionable alerts so security teams can quickly mitigate harmful activity. With new purpose-built PCI DSS v4.0 compliance capabilities, Client-Side Protection & Compliance helps security teams streamline compliance workflows and meet the latest JavaScript security requirements.

The new PCI DSS 4.0 compliance capabilities include:

Script inventory management (satisfies PCI DSS v4.0 requirement 6.4.3) — Provides an inventory of all JavaScript that is loaded and executed on protected payment pages. Users can easily record written justifications for each observed script. The solution automates as much of the justification setting as possible via predefined justifications and rules, substantially reducing compliance efforts.

PCI DSS 4.0 dashboard (satisfies PCI DSS v4.0 requirements 6.4.3 and 11.6.1) — Gain compliance insights with one click. A comprehensive dashboard addresses each component of requirements 6.4.3 and 11.6.1 directly within the product. Security teams can ensure script authorization and behavioral integrity, protect against payment page tampering, and keep up-to-date with script inventory management with a single view to ease the auditing process.

Dedicated PCI alerts (satisfies PCI DSS v4.0 requirements 6.4.3 and 11.6.1) — Receive immediate and actionable alerts on PCI-related events for real-time mitigation. This includes notification of any data exfiltration, unauthorized scripts, tampering of protection for configured payment pages, and unauthorized HTTP header modifications. Alerts are summarized in the PCI DSS v4.0 dashboard and logged for auditing evidence.

Client-Side Protection & Compliance is a CDN-agnostic product with flexible deployment options. The solution is a part of Akamai’s industry-leading web application security portfolio and works well with Akamai App & API Protector.

Businesses can bundle these products to gain comprehensive protection against both server-side and client-side threats, as well as to meet additional PCI DSS v4.0 requirements.

“With the deadline for PCI DSS 4.0 compliance fast approaching, Akamai Client-Side Protection & Compliance helps simplify the complex compliance process, and grants businesses the peace of mind that end-user payment card data is protected,” said Rupesh Chokshi, SVP and GM of Akamai’s Application Security Group.

“These new capabilities are designed to streamline compliance workflows and help our customers easily manage JavaScript executing on their website’s payment pages. It safeguards end-user payment card data within the browser and provides security teams with control over the entire client-side attack surface,” added Chokshi.

Businesses across all industries that accept payments online have to prepare to meet the upcoming PCI DSS 4.0 deadline. Forrester’s 2023 report highlighted client-side protection as a key technology that financial services and insurance organizations plan to adopt this year.

The report states, “The PCI Security Standards Council added requirements for client-side security — so it’s not surprising to see financial services firms rushing to adopt client-side code protections to comply with PCI DSS and protect against the likes of Magecart, formjacking, and cryptojacking attacks.”