Preventing Malicious Script Execution: Do I Need a Proprietary Script Management System? “Yes” If You Want to Meet PCI 6.4.3

From sourcedefense.com

PCI 6.4.3 gives a nod to proprietary script management systems which have been created to specifically handle malicious script execution. The Payment Card Industry’s (PCI) guidance under 6.4.3 states that all payment page scripts that are loaded and executed in the consumer’s browser are managed as follows:

  • A method is implemented to confirm that each script is authorized
  • A method is implemented to assure the integrity of each script
  • An inventory of all scripts is maintained with written justification as to why each is necessary

PCI’s guidance on 6.4.3 lists three potential solutions for organizations to meet these needs  — SRI, CSP, and/or a proprietary script management system. Let’s look at each of these to measure their effectiveness in meeting this new guidance.

Read more…