Virtually all ecommerce sites add or include third party scripts to their website. The problem comes when a web developer includes third party script on pages that accept sensitive information (e.g., payment page, login page).
3. Business background
Included third party’s JavaScript on all website pages,
including customer checkout page.
Script dynamically loads from third party servers each time
page loads.
4. What is included JavaScript
(or included code)?
JavaScript is programming script language used when writing
a website that interacts with a user’s browser.
These scripts can be written by company developers or
included from external web sources.
5. How hackers could get in
Cybercriminals could successfully
hack third party server that hosted
analytic JavaScript.
They could rewrite the script so it
would secretly search for and
access any information contained
on or entered into web pages it
was included on.
6. How hackers could get in
Malicious JavaScript could copy payment
information each time a customer entered a credit
card on the small parts dealer’s checkout page.
7. What the business did wrong
Dynamically including third party
JavaScript on a page that
accepts sensitive information
(e.g., login pages, payment
pages) is not a secure practice.
8. What the business did wrong
Ecommerce merchant should
have requested assurance
from third party of strong
server security and constant
checking of scripts to ensure
they are not modified.
9. What the business did wrong
Don’t assume the third party
is responsible. Remember,
anything written or included
on a merchant’s ecommerce
website is their own
responsibility.
10. SecurityMetrics
We Protect Business
Services
PCI, HIPAA, & data
security solutions for
businesses of all sizes
Qualifications
Global provider of
ASV, QSA, PFI, PA
QSA, P2PE services
Experience
Assisted over 1 million
organizations with
compliance needs