Client-Side Protection & Compliance: Fight Threats, Help Meet PCI DSS v4
JavaScript is a fundamental technology in modern web development. More than 98% of today’s dynamic web applications and websites rely on JavaScript for interactivity, dynamic content loading, and enhanced user experiences. In addition, it supports responsive web design and third-party integrations by providing features such as analytics, advertising, social media connections, and more.
An expanded attack landscape
Although JavaScript has become an essential tool, it also presents new security risks. Due to its decentralized client-side execution and the supply chain of third-party dependencies, JavaScript is extremely difficult for organizations to monitor and manage. Attackers have taken advantage of this blind spot by exploiting vulnerabilities in scripts and injecting harmful code into websites from the browser. They can then harvest and exfiltrate sensitive information, including payment card data, from end users.
These attacks — including web skimming, Magecart, and formjacking — have increased in sophistication over the years and can create devastating consequences for businesses. Victims face diminished customer trust, business downtime, and revenue loss, as well as significant regulatory fines.
New client-side JavaScript security requirements
Despite their impact, the prevention of client-side attacks has not been a security focus for most organizations and many websites remain unprotected. To safeguard payment data in the browser, the Payment Card Industry Data Security Standard has introduced new client-side JavaScript security requirements in the latest version of PCI DSS (version 4.0) released in March 2022.
To be compliant, any organization that processes payment card data online must know what scripts are executing on their site, when those scripts change, and what actions those scripts are taking. PCI DSS v4.0 becomes fully effective in March 2025, which leaves businesses a short window of time to meet these requirements.
Introducing Akamai Client-Side Protection & Compliance
Akamai Client-Side Protection & Compliance is a web application security solution designed to defend websites against JavaScript threats and to facilitate compliance with the new JavaScript security requirements (6.4.3 and 11.6.1) outlined in PCI DSS v4.0.
Client-Side Protection & Compliance runs in the end user's browser to monitor client-side JavaScript executions on a protected web page. When scripts exhibit changes in behavior, machine learning techniques assess the risk of unauthorized or inappropriate actions, triggering real-time alerts for security teams to investigate.
Users can mitigate potential threats with one easy click, restricting malicious JavaScript from accessing and exfiltrating sensitive end-user information, including payment card data.
Get these key capabilities
Protection against sensitive data exfiltration
Cybercriminals use various techniques to skim and exfiltrate sensitive end-user data in the browser. By instrumenting real-user sessions to analyze script behavior, Akamai Client-Side Protection & Compliance is designed to effectively protect against the most sophisticated attacks. If suspicious activity is detected, security teams are immediately alerted with detailed insights for rapid response and mitigation.
Dedicated PCI DSS v4.0 compliance support
Client-Side Protection & Compliance provides broad support to help businesses meet requirements 6.4.3 and 11.6.1 of the PCI DSS v4.0. It automatically tracks and inventories scripts on payment pages, ensuring their integrity and authorization. Security teams can easily justify the purpose of scripts that are executing on payment pages, with predefined justifications and automated rules.
The solution also monitors for changes in HTTP headers and payment page protections to defend against page tampering. A comprehensive dashboard and dedicated PCI alerts make it easy to rapidly respond to compliance-related events and provide auditing evidence.
Extensive visibility into JavaScript threats
It is a common misconception that web application firewalls (WAFs) provide protection against client-side attacks. Because WAFs analyze server-side traffic, they can not detect nor prevent attacks that occur in the end-user’s browser. Akamai Client-Side Protection & Compliance complements a WAF by providing unparalleled visibility into your website's client-side attack surface. It tracks script execution behavior, detects common vulnerabilities and exposures (CVEs) and assesses each script’s reach and impact.
Client-Side Protection & Compliance also provides intelligence on the data accessed by scripts and potential threats, eliminating blind spots and ensuring comprehensive protection. The solution pairs well with the industry-leading Akamai App & API Protector, providing holistic defense against both server-side and client-side threats.
Take a walk on the client side
Client-Side Protection & Compliance is a CDN-agnostic solution that can be deployed on or off Akamai Connected Cloud and requires no additional Akamai security solutions. It works with complex websites and single page applications and has no significant impact on page performance. With rapid configuration, businesses can immediately gain protection against JavaScript threats and streamline PCI DSS v4.0 compliance workflows.
Check it out
Check out Akamai Client-Side Protection & Compliance and test it yourself.
