We’ve entered 2025 and cybersecurity risks continue to evolve at an alarming pace, with bad actors getting increasingly effective with their methods.

‍

From a devastating ransomware attack on Change Healthcare that cost the provider $2.3 billion to the Polyfill supply chain breach infecting over 100,000 websites, no organization is safe. 

‍

However, certain compliance measures are designed to help organizations secure themselves against common cybersecurity risks. One of these measures is the PCI Data Security Standard (PCI DSS), a major compliance requirement for any organization handling online payments. 

‍

PCI DSS works across 12 areas, including network security, system protection, access controls, data security, backup and recovery, employee training, and incident response handling. 

‍

As cyberthreats evolved, two key requirements – 6.4.3 and 11.6.1 – were added to the PCI DSS in v4.0. These were initially best practices, but from April 1st 2025, they’ll become mandatory.

‍

6.4.3 gets you to fine-tune your processes so that you’re proactively auditing each and every script being added to your payment pages. You need to justify the business/technical purpose of each one and have a change management process in place when adding/removing one. 

‍

11.6.1 requires you to set up processes for monitoring your scripts so as to ensure they’re not being manipulated. 

‍

By complying with PCI DSS v4.0, organizations can protect themselves from threats, including these 7 cybersecurity risks that are likely to give organizations trouble in 2025:

1. Ransomware Attacks

Ransomware attacks involve infection through phishing emails and other vulnerabilities. They aim to encrypt your data using strong algorithms which, in turn, the attackers hold hostage until they are paid a ransom, usually in cryptocurrency.

How Ransomware Attacks Work

Ransomware attacks involve several stages, including infection, data encryption, and ransom demands. The infection stage often uses phishing emails with malicious attachments or links, or exploits vulnerabilities in unpatched software. 

‍

Once the ransomware is installed, it encrypts files using strong encryption algorithms, making them inaccessible to you. The attackers will demand a ransom and, in return, promise to give you a de-encryption key. 

‍

Victims are often advised not to pay the ransom, as there is no guarantee of data recovery and it could encourage further attacks. Instead, you should maintain regular backups, apply strong security measures, and report incidents to law enforcement. 

‍

Notable examples of ransomware include CryptoLocker, WannaCry, and Ryuk.

Examples of Ransomware Attacks

In 2024, some of the most notable ransomware incidents include the BlackCat/ALPHV attack on Change Healthcare, which exposed over 100 million patient records. The resulting recovery cost was in the range of $2.3 billion to $2.45 billion plus a ransom payment of $22 million.

‍

Another well-known incident was the attack on LoanDepot, which exposed the personal data of 16.9 million customers. This led to a recovery cost of $27 million. 

‍

One of Change Healthcare’s gaps was that it did not use multi-factor authentication (MFA) on its remote access servers, which were connected to payment processing systems. In addition, they also lacked strong enough monitoring mechanisms, which led to the attackers going undetected for 9 days before deploying their ransomware. 

‍

In addition, you can guard against this cybersecurity risk with data tokenization. This approach replaces your sensitive data with substitute values. So, even in the worst case scenario where an attacker gains access to your system, they won’t necessarily get or hold your data. 

‍

2. Phishing and Social Engineering

Phishing and social engineering attacks try manipulating people into revealing their sensitive information (like payment card numbers) or installing malware. 

How Phishing and Social Engineering Attacks Work

Attackers use different tactics of gaining the victim’s trust, like emails that seem legitimate, but are actually loaded with malicious links or attachments, for example. 

‍

Likewise, attackers might try getting a user to do something they typically wouldn’t. They may send an email that seems like it’s from a boss asking for a password, for example. 

‍

In a lot of phishing and social engineering cases, the attackers leverage impersonation, urgency, and trust-building as a way to entrap the user/victim. One of the most effective ways of stopping these attacks is through user education/training and tools like multi-factor authentication (MFA).

Phishing/Social Engineering Attack Example

In 2024, Pepco Group suffered a breach because of a social engineering attack, causing the European retailer €15.5 million ($16.2 million) in losses. 

‍

The attack involved fraudsters impersonating legitimate employees with sophisticated AI tools to the company’s finance department. They then used spoofed emails to convince the finance staff to authorize fraudulent fund transfers. 

‍

This attack shows that even large organizations can fall victim to this cybersecurity risk. That’s why PCI DSS v4.0 has a stronger emphasis on anti-phishing measures. These include both technical controls as well as employee awareness training. 

‍

While not a direct solution, something like dynamic data masking, can help mitigate risk. It does so by ensuring that certain data (like customer information) is only visible to authorized users. In a situation where an employee gets compromised through social engineering, if they don’t have access to your sensitive data, then the attacker using them may not get far.  

3. E-Skimming Attacks

E-skimming attacks work through a process designed to steal payment card data from online payment systems, particularly payment pages. 

How E-Skimming Attacks Work

Like many cybersecurity risks, the initial phase could occur through phishing/social engineering so as to enter your system. Once they enter, the attacker could install malicious scripts on your online payment pages, which would then execute on the client’s browser. 

‍

The malicious script could send the customer to a domain controlled by the attacker and where the checkout page seems legitimate. However, when the customer fills in their payment info, the attacker can collect the credit card account number, expiration date, and CVV code.

‍

These attacks are often difficult to detect because they run on the customer’s browser, which is outside of your direct control. Moreover, during peak shopping periods - like the holidays - there are a large volume of transactions. When an attacker targets just 1-2% of those, the retailer may mistake a blip that small for seasonal factors rather than a possible attack. 

Examples of E-Skimming Attacks

In 2018, British Airways (BA) was struck with a Magecart attack that compromised 380,000 of its customers’ financial information. The attackers injected malicious JavaScript code into both BA’s website and mobile app, specifically targeting the payment processing system. 

‍

BA didn’t detect the attack for over 2 weeks. The incident led to BA being fined $26 million from the U.K’s Information Commissioner’s Office (ICO). 

‍

The attack on BA highlights the need for effective script monitoring and – optimally speaking – blocking measures. To address this, two of PCI DSS v4.0’s compliance requirements – 6.4.3 and 11.6.1 - were made into mandatory practices to help provide that protection. 

4. Supply Chain Attacks

Building on the previous cybersecurity risk, a supply chain attack can be a potential delivery vehicle for e-skimming (and other cyberattacks). This is where attackers target third-party services, such as trusted vendors, online tools, and others to install malicious code.

How Supply Chain Attacks Work

Cyberattackers will look for vulnerabilities in widely used third-party tools, such as a web traffic analytics platform or customer form plugin. They’ll then work to inject malicious code into those tools, which would then cause the legitimate scripts already running on their users’ websites to bring in malicious scripts. This is how Magecart attacks operate. 

‍

The whole idea of a supply chain attack is to use legitimate vendors/service providers as a way to widely distribute malicious code. Depending on the popularity or userbase of the vendor, this type of attack can reach a large number of organizations and, in turn, lots of people. 

Examples of Supply Chain Attacks

The 2024 Polyfill attack was one of the most extensive supply chain attacks. The cyberattackers compromised Polyfill’s JavaScript content delivery network (CDN) and used it to inject malicious code into over 100,000 websites.

‍

In itself, a supply chain attack is difficult to pick up because it can occur via a previously trusted or legitimate delivery source. Even if your organization protected itself, you can’t guarantee that your vendors are as secure. This is where systems for real-time monitoring and threat blocking are critical as they could provide a fail-safe security layer against situations you can’t control.

5. Man-in-the-Middle (MitM) Attacks

A man-in-the-middle (MitM) attack involves a bad actor inserting themselves between two communicating sides as a way of intercepting, modifying, and/or stealing data.

How These Attacks Work

For example, an attacker could redirect network traffic so that it runs through their system as it moves between two legitimate sides. When that data goes through their system, the bad actor can view and modify the data or even inject new data into the stream. 

Examples

This cybersecurity risk exists in a variety of situations, ranging from spoofed Wi-Fi networks to malicious - but seemingly legitimate - payment pages. 

‍

With payment pages, for example, the attacker could redirect a customer to a domain they control and where the checkout page will seem similar to that of the merchant. However, the customer will end up giving their data to the attacker. 

‍

Again, this shows the importance of having real-time threat monitoring and blocking in place, especially for scripts as they’re often the main tool attackers will use. 

6. AI-Powered Cyberattacks

AI-powered cyberattacks aren’t a specific category of attack, but rather, they’re the means a bad actor could use to carry out some of the attacks above. Basically, cyberattackers are using AI or ML to make their approaches less detectable and more effective.

How AI-Powered Cyberattacks Work

BlackMamba is a proof-of-concept of a potential malware that could use generative AI to avoid detection and dynamically generate malicious code. While this approach hasn’t been seen yet in the real world, it marks a major shift in how cybersecurity risks are evolving. 

‍

This means that the solutions you use also leverage new technologies as they come along as a way to both be more effective and to better address new cyber threats. 

7. Advanced Persistent Threats (APT)

APTs are long-term cybersecurity risks where bad actors will maintain a low profile and work via a gradual and continuous manner. They would typically use advanced techniques so as to avoid detection, focus on specific targets, and target different gaps. 

How These Attacks Work

Like AI-powered cyberattacks, APTs are more like strategies for improving other cyberattacks, such as ransomware, phishing, and skimming. APTs highlight the need for organizations to take real-time threat monitoring and threat blocking seriously. 

‍

When bad actors are working around the clock, your cybersecurity defenses should be active 24/7. It’s not enough to audit your scripts, tools, and other systems once and then monitor or check them periodically. 

How to Protect Your Systems

With the right PCI tamper detection and protection solution, complying with PCI DSS v4.0 can protect you from both costly cyber threats and non-compliance issues.

Here at DataStealth, we’re actively helping organizations comply with PCI DSS v4.0.1 – notably requirements 6.4.3 and 11.6.1 - so that they’re well-defended from these costly attacks and – just as importantly – safe from pricey compliance gaps.