Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Healthcare organizations today face an imminent threat to securing private health information (PHI) on their websites. For this reason, HHS has released requirements to help organizations and patients stay protected. Non-compliance can result in HIPAA violations leading to costly lawsuits. Most healthcare companies use tracking technologies for marketing and analytics. Sometimes these trackers, cookies, and pixels collect and share more health information than is necessary, leading to privacy breaches.

In part one of our series on PCI DSS 4.0, we covered the updates in the latest version 4.0.1 and how to operationalize those changes. In this blog we are going to dig deeper into Requirement 11.6, how to interpret the nuance and automate the current guidance. Guidance that will become a mandate in March, 2025. Let’s start with what Requirement 11.6 is and why it’s so important.

As the Payment Card Industry Data Security Standard (PCI DSS) compliance standards continue to evolve, our team has been fielding a number of questions about the changes to 4.0, how to interpret them and ultimately how to get or remain compliant. We decided to create a blog series covering some of these recent changes with practical, actionable tips for getting started. Many organizations subject to PCI-DSS may not be aware that the latest version, PCI 4.0.1 has been released.

Protecting your e-commerce platform from unauthorized changes and skimming attacks is paramount for maintaining trust and ensuring compliance with PCI DSS 4.0, specifically requirement 11.6. This guide will walk you through utilizing Feroot platform to set up effective monitoring and response mechanisms for your payment pages.

This user guide will walk you through how to use Feroot’s suite of tools to meet PCI-DSS requirement 6.4.3 on your e-commerce webpages that handle card payments.

The Payment Card Industry Data Security Standard (PCI DSS) 4.0, issued a comprehensive set of requirements, to safeguard online payment systems against breaches and theft of cardholder data. Requirement 6.4.3 is one of the critical components for businesses that take online payment and focuses on the management and integrity of scripts on webpages that take payment card (i.e.m credit card) payments.

The healthcare industry has rapidly embraced digital technologies to enhance patient care, streamline operations, and improve communication. However, this digital transformation brings with it a significant challenge: protecting patient data. One often overlooked risk comes from tracking pixels, which can lead to (accidental) data leakage and privacy breaches.

In the ever-evolving landscape of cybersecurity, staying ahead of threats and ensuring the safety of sensitive customer data is paramount. For organizations that handle payment card information, complying with industry standards like PCI DSS (Payment Card Industry Data Security Standard) is not only a best practice, but a compliance requirement that can result in hefty fines upwards of $100,000 a month.

By analyzing over 3,000 websites and over 100,000 associated webpages (using the client-side security scanning feature of Feroot Inspector) across 6 sectors, it was determined that pixels/Trackers transfer data to almost 100 countries around the globe. Table 1 shows the top 40 destinations of data being transferred by pixels/trackers collecting data from the analyzed websites – all of which were US-based.

In an analysis of over 3,000 websites and over 100,000 associated webpages (using the client-side security scanning feature of Feroot Inspector) found pixels/trackers on 95% of their websites. Each website in the study corresponds to an unique organization (company, non-profit, or government agency). The high 95% reflects the extent of data harvesting that is done by marketing, advertising, and performance platforms today.