How Hollywood Bowl Stopped eSkimming

Learn how they gained script visibility, and gave their QSA clean PCI DSS 4.0.1 evidence.

See how Hollywood Bowl Group plc, the UK’s largest ten pin bowling operator, gained full visibility into third and fourth party scripts, met PCI DSS 4.0.1 requirements 6.4.3 and 11.6.1, and protected every online booking session without slowing the site down.

Get the case study to learn how Hollywood Bowl:

  • Turned a browser blind spot into a controlled security zone
  • Replaced manual tag reviews with automated, QSA ready evidence
  • Deployed behavior based eSkimming security in days, not months
  • Achieved zero eSkimming incidents while keeping conversion rates steady

Use Hollywood Bowl’s experience as a practical blueprint to de-risk your own payment pages and take pressure off your PCI DSS 4.0.1 program.

Why This Case Study Matters

If you are responsible for PCI DSS 4.0.1, web security, or online revenue, you are likely dealing with the same issues Hollywood Bowl faced:

  • Constant change from tag managers and marketing scripts
  • Limited visibility into fourth party calls and dependencies
  • Pressure to comply with PCI DSS 4.0.1 requirements 6.4.3 and 11.6.1
  • A risk register that says “red” while the business keeps adding new tools

Hollywood Bowl used Source Defense to gain end to end visibility into scripts running in the browser, block eSkimming behavior in real time, and give their QSA clean, structured evidence for payment page controls.

Get the Hollywood Bowl Case Study

What You Will Learn

Inside the Hollywood Bowl case study, you will see:
  • How Hollywood Bowl inventoried every script on its payment pages, including nested fourth party calls coming from tag manager changes
  • Why traditional approaches like in house Content Security Policy and monitoring only tools could not deliver real time protection or full PCI DSS coverage
  • How a single Source Defense tag, deployed through the existing tag manager, provided full site coverage with roughly half a day of development work and one day of security policy tuning
  • How Hollywood Bowl uses automated script classification, authorization workflows, and audit trails to satisfy PCI DSS 4.0.1 requirements 6.4.3 and 11.6.1
  • The operational impact of moving from manual tag reviews to automated reporting that QSAs can accept in place of spreadsheet based script reviews
Use this story as a template for your own PCI DSS 4.0.1 project if you rely on tag managers, marketing pixels, and a growing digital supply chain.

“It closes the browser side blind spot, delivers PCI DSS 4.0.1 evidence out of the box, and does it with minimal development effort and no customer friction.”

— Dan Burborough, Head of IT Security and Compliance, Hollywood Bowl Group

About Source Defense

As a PCI Participating Organization and the pioneer in eSkimming security, Source Defense played a role in the development of new requirements for web security found in PCI DSS 4.0.

We’ve helped thousands of the world’s leading brands address these issues. We’ve also been educating merchants, QSAs, PSPs, eCommerce Platform providers and virtually every stakeholder in PCI compliance on the vulnerabilities in modern website design that make eSkimming attacks possible. We’ve made it our misison to provide guidance around ambiguity in the standard; advise on the pros and cons of approaches provided by the council and we recently launched a free assessment, monitoring and management solution for both merchants and their QSAs. 

Scroll
Source Defense
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.