1. Docs
  2. PCI DSS Library
  3. Remote Scanning

Remote Scanning

Remote scanning involves simulating an end-user’s journey to the payment page, using automation tools like Puppeteer or Selenium. These tools automatically drive the browser through the site and arrive at the payment page, while a specialized data collection system attached to the browser monitors and captures comprehensive details about every interaction within the payment page. This includes loaded scripts, iframes, images, CSS, fonts, input forms, and HTTP headers set by the server, etc.

When properly processed and utilized, the collected data can be instrumental in helping organizations meet PCI DSS 4.0.1 requirements 6.4.3 and 11.6.1.

Advantages
  1. Ease of Use: It’s the simplest and fastest approach, as it requires no installation, setup, or configuration on your website
  2. No Performance Impact: As a fully remote system, it imposes no performance or functional impact on the site.
  3. Cross-Origin Visibility: It can monitor third-party or cross-origin iframes and their influence on the payment page.
  4. Comprehensive Monitoring: It monitors behaviors caused by HTML, CSS, and JavaScript, covering everything from low-level events like CSS-loaded images to high-level events such as scripts performing keylogging or reading input fields.
  5. HTTP Header Analysis: It is capable of inspecting HTTP headers sent by the server.
  6. Detailed Behavioral Insights: It can potentially offer detailed observations of page behavior, which is extremely valuable for thorough investigation and analysis by your security team.
  7. Data Privacy: The system uses a test account to access the site, avoiding interactions with actual customer data.
Disadvantages
  1. Limited Session Coverage: Remote monitoring doesn’t capture every user session, which means specific behaviors triggered by certain conditions may go undetected. For example:
    1. A script triggered only for users in New York won’t be detected unless the scan is conducted from that location.
    2. Special functionality reserved for high-spending customers (e.g., those who have spent over $5,000) won’t be analyzed unless the test account meets this criterion.
  2. Lack of Blocking Capability: The system can report unauthorized or malicious behavior, but cannot block it in real-time.
  3. Challenges with Anti-Automation Measures: Sites with anti-automation measures can complicate the monitoring process
  4. Need for Updates: The scanning script requires regular updates to stay aligned with changes in user journeys or site navigation.
Expert InsightTo ensure your remote monitoring system serves you effectively and delivers optimal results, site owners should:1. Verify Comprehensive data capture: Confirm that the system accurately captures all relevant details—such as iframes, resources, input fields, and HTTP headers—by reviewing scan results.2. Ensure Automatic Adaptation: The system should automatically adjust to changes in the site design or user journeys, ensuring monitoring remains uninterrupted and effective.

By browsing this website, you agree to the Terms of Service and Privacy Policy