The Rise and Risk of Third-Party Scripts in Modern Website

First of its kind research from the 2024 Verizon Payment Security Report

New research from Source Defense included in the 2024 Verizon Payment Security Report sheds light on the ever-growing use of 3 rd party digital supply chain partners in modern website design. It highlights the risks these partners introduce to data security and data privacy compliance – and the need to focus on protecting data at the point of input, as it is being captured in online webforms. Use this research to better understand eSkimming, Magecart, digital-skimming and click-jacking attacks, and to inform your organization on the need to adopt eSkimming security controls.

The modern website now has its own third-party supply chain – an area of 3rd party risk management that has been overlooked for far too long.
Comprehensive analysis of 7,000 of the world’s largest websites reveals a disconcerting landscape dominated by 3rd and 4th party scripts which are neither vetted, managed, nor secured.

This uncontrolled code leads to data leaks which jeopardize data privacy compliance – and more alarmingly, has become a favored attack vector of cyber criminals conducting eSkimming attacks. The time has come to understand the issue and address it – one major reason the Payment Card Industry Data Security Standard (PCI DSS) now requires a focus on eSkimming security under PCI DSS 4.0.x

Get access to the full report.

Produced in collaboration with Verizon as part of the prestigious Verizon Payment Security Report (2024), this research provides crucial insights into the rise and risk of third-party scripts on modern websites. It covers essential topics such as:

  • Background and Threat Surface Analysis: Shedding light on the need to protect data at the point of input, providing details on cybercrime actions related to eSkimming, and detailing the reasons PCI DSS 4.0.1 now requires eSkimming security controls
  • Benchmarking: Exploring the use of third-party digital supply chains across the largest websites in the world 
  • Script Analysis: Breaking down the most common types of scripts found, their purpose and their prevalence
  • Risky Behaviors: Detailing behaviors which put data privacy compliance in jeopardy and make malicious attacks easy for our adversaries

Download the Report

Why Download This Report?

Cybercriminals are increasingly targeting third-party scripts to steal data at the point of input, shifting focus from traditional data in transit or at rest. They exploit vulnerabilities in these scripts to inject malicious code and capture sensitive information, such as payment details and personal credentials, as it’s entered into online forms. These attacks, commonly known as Magecart, e-skimming, and form-jacking, pose a major threat to consumer data security​​.

Arm yourself with the best understanding of the issue so you can work to solve the problem for your organization.
DOWNLOAD NOW!

For more on the Verizon 2024 Payment Security report you can find the full Verizon PSR Report on the Verizon website.

About Source Defense

As a PCI Participating Organization and the pioneer in eSkimming security, Source Defense played a role in the development of new requirements for web security found in PCI DSS 4.0.

We’ve helped thousands of the world’s leading brands address these issues. We’ve also been educating merchants, QSAs, PSPs, eCommerce Platform providers and virtually every stakeholder in PCI compliance on the vulnerabilities in modern website design that make eSkimming attacks possible. We’ve made it our misison to provide guidance around ambiguity in the standard; advise on the pros and cons of approaches provided by the council and we recently launched a free assessment, monitoring and management solution for both merchants and their QSAs. 

Scroll