Introducing Evervault Page Protection: Securing payment pages from JavaScript attacks

Today, Evervault is launching Page Protection, a browser script management product that helps payment companies and merchants secure their payment pages against script attacks and comply with the latest PCI DSS 4.0 compliance requirements (6.4.3 and 11.6.1).

Your Website Is Not Just Your Code Anymore

Let's be honest: how many third-party scripts are running on your payment pages right now? Google Analytics? Facebook Pixel? Some A/B testing tool your marketing team added last quarter?

Payment pages sometimes load dozens of third-party scripts, each representing a potential security breach.

Your security is only as strong as the weakest link in your supply chain.

The British Airways Hack Nobody Saw Coming

JavaScript supply chain attacks have become the preferred weapon for sophisticated attackers targeting payment pages.

Remember the British Airways breach in 2018? For 15 days—from August 21 to September 5—the notorious Magecart group quietly harvested customer data without anyone noticing. They inserted just a handful of lines of code on BA's payment page, stealing names, billing information, and complete card details from 380,000 customers. The rogue change was inserted into the downstream CDN serving modernizr-2.6.2.min.js, a popular JavaScript library for HTML5 compatibility.

What made this attack particularly devious was its sophistication. The hackers didn't go after BA's entire infrastructure—they specifically targeted the JavaScript that handled payment processing. They even registered a domain (baways.com) that looks legitimate to casual observers, making the data exfiltration difficult to spot in network logs.

Although the hacker obfuscated the code change, it effectively looked something like this:

An example of the code change

The breach cost BA a £20 million fine, but the real damage was to their reputation. The kicker? This attack was completely invisible to users and traditional security tools.

PCI Finally Caught Up

The new PCI DSS 4.0 standard has finally acknowledged JavaScript attacks with two new requirements:

• Requirement 6.4.3: You need to detect and respond to changes in payment page scripts.
• Requirement 11.6.1: You need a mechanism to detect and prevent web-based attacks.

Effective March 31, 2025, all Service Providers are required to comply with these new requirements. Merchants who are completing Self-Assessment Questionnaires like SAQ A or Level 1 Reports on Compliance (RoCs) with SAQ A scoping will need to address these new changes directly.

Many companies are turning to Content Security Policy (CSP) and Subresource Integrity (SRI), but those are half-measures at best:

• SRI breaks when scripts legitimately change (which they do, constantly)
• CSP only restricts where scripts come from, not what they do
• Manual monitoring is a nightmare that nobody has time for

Introducing Page Protection

Today, we're launching Evervault Page Protection – a solution designed specifically for this growing threat.

It's a simple approach to a complex problem:

1. Add our lightweight JavaScript snippet to your payment pages
2. We automatically proxy all your scripts through our secure CDN (which is served from our PCI Level 1-compliant infrastructure)
3. Our system monitors every script for suspicious changes
4. You get alerted when something suspicious happens (without the noise)

How It Works

Integration takes minutes, not months

Add this snippet to your payment pages:

That's it—no changes to your build process, no painful security policies to configure, and no developer headaches.

Your scripts stay where they are

We don't force you to host everything yourself or make sweeping changes. Your scripts continue loading from their original locations, but now they pass through our secure CDN, where we can monitor them for changes.

We build your script inventory automatically

You get a complete catalog of every script running on your payment pages, grouped by risk severity (based on potential impact to your page security) to help you identify which ones shouldn't be there.

Removing unnecessary scripts enhances security and can significantly improve your page load times.

Intelligent monitoring, not constant alerts

Our system doesn't just detect changes – it analyzes them to determine if they're routine updates or potentially malicious modifications.

This intelligent approach means you only get alerts when something suspicious happens, not for every minor update.

Audit-ready compliance

When your PCI audit comes around, you'll have a complete audit trail showing:

• Every script loaded on your payment pages (including a justification for why it’s there)
• When those scripts changed
• What those changes were
• Your team's responses to suspicious activity

Your audit might even finish early!

Unlike many other Browser Script Management solutions today, Evervault is PCI DSS 4 compliant, ensuring robust protection for your payment pages.

Why We Built This

The pattern is clear: companies invest heavily in network security, encryption, and access controls, but often overlook the JavaScript running on their payment pages.

It's unsurprising – there simply haven't been good solutions on the market.

Page Protection fills this critical gap, providing a straightforward way for payment companies and merchants to monitor and secure the scripts that access their customers' most sensitive data.

Get Started

Payment page attacks aren't theoretical – they're happening now and are on the rise.

Page Protection is available from today. Get started in a matter of minutes with our two-week free trial. Head over to the Page Protection website page to learn more or contact our team to chat about your specific setup.