1. Docs
2. PCI DSS Library
3. JavaScript Agent

JavaScript Agent

A JavaScript Agent is a specialized piece of code that, when loaded onto a website, injects itself into critical JavaScript APIs on the page. This enables the agent to monitor and, if necessary, control the actions of other scripts running on the same page, providing an additional layer of security.

Advantages

1. Real-Time Monitoring: JavaScript Agents provide continuous, real-time monitoring and protection for every user session where it is loaded.
2. High-Level Behavior Monitoring: The JavaScript Agent can monitor the actions of other scripts in real-time, enabling it to detect and block high-level behaviors such as keylogging or unauthorized access to input fields, including credit card data.
3. Detailed Behavioral Reporting: The system offers detailed insights into which script is responsible for specific behaviors, making it easier to identify and address potential threats.
4. Flexible Filtering: The system has the potential to support both blacklist and white-list filtering, which would simplify management and minimize the risk of disrupting site functionality.
5. Support for Single Page Applications (SPA): JavaScript Agents can recognize client-side navigation in SPAs and apply protections only to the relevant sections of the page, such as payment fields within the PCI DSS scope.

Disadvantages

1. Proprietary Solution: JavaScript Agents are not a web standard, meaning each vendor has their own implementation and features. This makes it more challenging to evaluate and compare solutions effectively.
2. Limited to JavaScript Layer: Since JavaScript Agents operate within the JavaScript layer, they cannot monitor behaviors outside of this scope. For example, they cannot track scripts embedded directly in the original HTML sent by the server or resources like images or fonts loaded via
3. Monitoring Limitations Due to Load Order: The JavaScript Agent can only monitor scripts that load after it. Any scripts that load before the agent are not monitored and can bypass the agent’s restrictions.
4. Potential for Bypass in Complex Scenarios: Even within the JavaScript layer, certain complex behaviors may bypass the agent’s monitoring. For instance, if a large amount of text is dynamically added to the inner HTML property of an element, the agent may struggle to parse all the content without causing significant performance issues. Attackers could exploit this limitation to evade detection.
5. Limitations During Page Unload: When a page is being unloaded, the browser imposes restrictions that prevent the JavaScript Agent from reliably communicating or capturing behaviors that occur during this time.
6. Possible Session Interference from Header Monitoring: To monitor HTTP headers, as required by PCI DSS 11.6.1, javaScript Agents issue a fetch request to the server to inspect the response headers. Depending on the site's design, this can interfere with the user session's state, potentially breaking site functionality.
7. Performance Impact: Deploying a JavaScript Agent can introduce a non-trivial performance impact, which may be problematic for websites that have a low tolerance for performance degradation.
8. Data Verification Challenges: Because JavaScript Agents are proprietary solutions, verifying the nature and security of the customer data they collect is more complex compared to standard solutions.