Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Now is the time to modernize your security stack, including client-side protections many current tools ignore.

PCI DSS 4.0 introduces explicit controls for managing client-side scripts on payment pages — a common target for digital skimming, Magecart, and formjacking attacks.

A critical vulnerability in the popular Gravity Forms WordPress plugin has led to widespread malware injections across thousands of sites. The flaw is being actively exploited by threat actors, some of whom are inserting backdoors and malicious JavaScript into WordPress sites to carry out data theft, SEO poisoning, and client-side attacks.

To address a rising attack vector: client-side JavaScript tampering on payment pages.

The U.S. Department of Health and Human Services (HHS) clarified in 2022 and again in 2023 that tracking technologies like Meta Pixel and GA4 can expose Protected Health Information (PHI). This applies even if PHI isn’t explicitly shared—contextual data such as appointment searches or logged-in status on a patient portal can qualify.

These requirements target the browser layer — where scripts execute on the end user’s side, not in your cloud or backend infrastructure.

By now, you’ve likely heard about Magecart attacks — or maybe even experienced one firsthand. Over the last few years, digital skimming has become a go-to tactic for cybercriminals targeting websites and web applications. Major organizations like Macy’s, Ticketmaster, the American Cancer Society, P&G’s First Aid Beauty, British Airways, and Newegg have all made headlines due to these breaches. But most victims don’t make the news.

NIST Special Publication 800-53 is a cybersecurity and privacy framework developed by the National Institute of Standards and Technology (NIST). It provides a standardized set of security controls for federal information systems, covering everything from access control and incident response to system monitoring and supply chain risk management.

Digital marketing relies on user behavior data — but for healthcare organizations, that data often includes protected health information (PHI). If ad platforms or third-party scripts collect PHI without consent or encryption, your organization could face HIPAA violations.

To address stakeholder feedback and questions received since PCI DSS v4.0 was published, the PCI Security Standards Council (PCI SSC) has published a limited revision to the standard, PCI DSS v4.0.1. It includes corrections to formatting and typographical errors and clarifies the focus and intent of some of the requirements and guidance. There are no additional or deleted requirements in this revision.