Traditional ecommerce security tactics like web application firewalls (WAFs) are not enough to protect the client-side against digital skimming attacks. Some companies are placing their bets on static scanning of their site, not realizing the dynamic nature of skimmer code. Solutions like sandboxing create significant hurdles in the website development process and break continuous integration/continuous deployment cycles.
Content security policies (CSP) are also the first resort for many web application security professionals. CSPs were originally used for protection against cross-site scripting and alone don’t provide any protection against the use of a compromised trusted domain to inject a skimmer on the website. Furthermore, CSPs are difficult to manage because they require a lot of tuning.
Continuous monitoring, combined with CSP and Client Side Mitigation (CSM) granular JavaScript blocking, is a more modern client-side application security solution. This automatically identifies vulnerable code and anomalous behavior, and applies across-the-board access controls or granular rules to prevent data exposure and exfiltration.