What you need to know about Pipka

Magecart attacks have been front and center in the eCommerce world this year. Fresh on the attack scene this fall is Pipka- a new advanced threat that is strikingly similar to Magecart attacks and arguably more sophisticated.

What is the Attack?

Pipka – as named by VISA’s Payment Fraud Disruption (PFD) eCommerce Threat Disruption (eTD) due to the skimmer’s configured exfiltration point at the time of analysis. It was first seen in September 2019.

Who is Pipka Attacking?

eCommerce Websites

What is Pipka Doing?

Pipka is a javascript skimmer that targets payment information that is entered into eCommerce merchant websites. Pipka is able to remove itself from the HTML of the compromised website after it executes, therefore making detection almost impossible.

How Do Attacks Happen?

*Note this diagram depicts how Magecart attacks work and may not be exactly the way that Pipka occurred

How does Pipka Impact Customers?

Customers fill out forms and make purchases without ever realizing their data was compromised. Customers may suffer from a loss of faith in the company and consumer relationships can be damaged in addition to whatever personal loss they experienced. 

How does Pipka Impact eCommerce Retailers?

Negative Brand reputation is the most prominent impact from attacks. A quick google search will give insight to other large brands who have fallen victim to attacks and how the public and media reacted to those security breaches. 

In addition to overall brand retribution, companies have to successfully handle unhappy customers (phone lines, support centers etc) and deal with their pain and inconvenience of card information being stolen.

Are the eCommerce Retailers at Fault?

Yes! Protection for consumers ultimately falls to the eCommerce company. British Airways, Ticketmaster, Delta, and many others were all victims of similar attacks – some of them being fined heavily for their poor security practices.

Recommendations for Retailers

  • Examine your web traffic to know if you were targeted
  • Understand what organizations in your company have access to make website changes and have the ability to add 3rd party vendors. Pro-tip: Start with Security and Marketing
  • Consider a targeted attack solution: Detection is not enough. eCommerce companies should look at solutions like Source Defense that eliminate these types of threats.

Learn More


PCI DSS 4.0 makes client-side security a priority.

Source Defense delivers a solution for 6.4.3 and 11.6.1 without adding a burden to your security teams.

Scroll