One of Scentbird’s Secret Ingredients to Success: PCI DSS v4 Compliance
Today, 773 million consumers worldwide turn to e-commerce platforms to find their favorite fragrances. One of the leading brands in the online perfume industry is Scentbird, a monthly subscription service dedicated to helping people express themselves through scent.
Since its launch in 2014, a key ingredient in Scentbird’s success has been balance — specifically, balancing two business priorities: delivering personalized recommendations while protecting customer data, including credit card details.
Today’s consumers are increasingly cautious when entering payment details, preferring secure checkout options like Apple Pay, PayPal, and hosted payment forms. Scentbird’s commitment to transparency, website security, and client-side protection is why customers trust the platform with their information. The retailer is open about the data it collects and how it enhances personalized recommendations, reinforcing its unique position in the market. However, like many retailers, protecting this data is a constant challenge, especially as customer bases expand and new website capabilities are added to enhance the user experience.
Blending Security and Personalization
Ninety-eight percent of websites globally rely on JavaScript to create dynamic and engaging user experiences, and Scentbird is no exception. The retailer uses approximately 60 different scripts for marketing analytics, payment processing, shipping functionality, and personalization, all of which have contributed to its success.
However, JavaScript also introduces security risks. Third-party scripts can gain unmonitored access to forms and sensitive data across web pages. The more scripts used, the greater the risk. In Scentbird’s case, 60 scripts quickly grew to 100 due to dependencies, leading to versioning issues, with frequent updates — sometimes daily releases of new versions.
Scentbird’s Journey to Compliance
Without a centralized review process, Scentbird took a proactive approach to safeguard customer data. The team first turned to Google Tag Manager, but it lacked deep visibility and script auditing capabilities necessary for compliance.
To regain control and maintain customer trust, Scentbird implemented an internal script approval process, requiring periodic inventory checks to ensure only essential scripts remained active. The company also introduced cookie consent management platforms and partnered with security firms to monitor script activity across its website.
As business growth accelerated, PCI DSS v4 compliance became a pressing priority for Scentbird. Once retailers exceed a certain transaction volume, payment providers require self-assessments for PCI DSS compliance, even if they do not store customer credit card details. This requirement ensures that businesses handling high volumes of transactions maintain strong security measures.
Through this process, Scentbird recognized that compliance is more than a regulatory requirement; it's an investment in customer trust. To secure this trust, the retailer needed full visibility into its ever-evolving JavaScript inventory.
The first step was moving away from its cookie consent management platform, which lacked key security features, such as tracking who interacted with forms, monitoring script changes, and detecting unauthorized data transmissions. Next, Scentbird sought client-side security capabilities that would:
- monitor and control third-party scripts;
- protect customer payment data from web skimming;
- ensure compliance with PCI DSS anti-skimming requirements (6.4.3 and 11.6.1); and
- reduce manual oversight and streamline security operations.
Today, Scentbird is fully aligned with PCI DSS v4 requirements, ahead of the March 31 deadline (though many companies may delay compliance until their next annual assessment). By taking a proactive approach, Scentbird has not only secured its payment pages but also strengthened its position for long-term success in the evolving e-commerce landscape.
Rui Ribeiro is the co-founder and CEO of Jscrambler, a pioneering client-side protection platform.
Andrei Rebrov is the founder and CTO of Scentbird.
Rui Ribeiro is the CEO and co-founder of Jscrambler. An entrepreneur and innovator, he has led the company from a start-up to a leader in client-side web application security. He has co-authored several application security patents and is passionate about helping companies innovate quickly while knowing that their applications are secure.
Andrei Rebrov is a seasoned technology leader with more than 15 years of experience in the industry. As the Co-Founder and CTO of Scentbird, he has played a pivotal role in scaling the company to over 700,000 active subscribers while being instrumental in developing the platform’s early architecture, expanding a global remote engineering team, and ensuring that technology fueled innovation across all departments, from marketing to operations.
Beyond Scentbird, Andrei is a startup advisor across diverse industries, including aerospace and video games. He is also the author of the book Beyond the Box, where he shares his insights on technology, leadership, and innovation.
Prior to founding Scentbird, Andrei worked as an agile engineering coach, helping companies optimize their technology strategies. His early career includes software engineering roles at UBS Investment Bank and Avis UK.
