Defending Against JavaScript Keylogger Attacks on Payment Card Information

Course Overview
(Music playing) Hello, my name is John Elliot, and I'm a data protection specialist with a particular interest in protecting payment card data. I was Visa Europe's representative on the payment card industry security standards council, which means I had the contributing to many of the PCI standards, including PCI DSS. And I'm Troy Hunt. I'm an author of many different Pluralsight courses about how to protect yourself online. And, of course, protecting yourself online applies to all sorts of different web applications, but particularly those that lead through to payment processing. When Troy visited London recently, we had a chat about the modern ways that criminals steal cardholder data by using JavaScript executing in the customer's browser to read and steal card data from form fields. We discussed how the attack works and how people could protect their organization's web applications. We actually have some fantastic native implementations within browsers that can be used for protecting web applications, collecting any sorts of data, not just payment related information. So, for example, we have content security policies, CSPs, and sub-resource integrity, or SRI. Following the NIST cyber security framework, we also brainstormed ways you could detect the attack, how to respond, and what you would need to do to recover normal operations. This course is based on real-world experience, and we'll be looking at some important industry precedence that highlight just how serious this issue is and how important it is to get the defenses right. Everything we talk about applies to protecting all web forms, not just ones that collect payment data, so I do hope you'll join us as we discuss ways of defending against JavaScript keylogger attacks on payment card information.