by Source Defense
In 2025, the digital storefront remains a prime target for attackers, and the battle against eSkimming, the theft of customer data directly at the point of input, has never been more urgent. Yet many merchants, auditors, and even regulators are confusing compliance with security. The result is a dangerous illusion of safety fueled by misplaced faith in outdated tools like Content Security Policy (CSP) and Subresource Integrity (SRI), and the assumption that protecting the payment page alone protects against eSkimming attacks.
Compliance with PCI DSS 4.0.1 as written does not guarantee protection from modern eSkimming threats. The gap between the two could not be wider.
Compliance by Checkbox: How PCI DSS Misses the Mark
PCI DSS 4.0.1 introduced requirements 6.4.3 and 11.6.1 to address script inventory, authorization, and tamper detection, clear evidence that the Council now recognizes the browser as a critical part of the payment ecosystem. This makes sense given recent statements from the card brands that eSkimming is now a leading form of fraud, and findings from the 2024 Verizon Payment Security Report, which show that nearly 40% of payment-page scripts can access sensitive data, with an average of 18 scripts per checkout page. Many of these scripts come from third- and fourth-party sources.
While these new requirements are a step forward, they still fall short of addressing how eSkimming actually occurs. PCI DSS guidance cites CSP and SRI as potential controls despite overwhelming evidence that these are not true security measures. They may satisfy a checkbox, but they do not stop real attacks.
The Fatal Flaws of CSP and SRI
For years, merchants have been told that CSP and SRI would protect their sites from client-side attacks. In theory, they sound appealing:
- CSP limits where scripts can load from.
- SRI verifies that a script’s hash has not changed.
In practice, today’s web is dynamic. Scripts are constantly updated through tag managers, personalization engines, and marketing platforms. Each change requires a new hash or whitelist entry, creating maintenance headaches and inevitable blind spots.
Attackers exploit this complexity by compromising trusted sources, injecting malicious code into analytics tools, chat widgets, or CDNs. These are often whitelisted by CSP and therefore fully trusted by the browser.
CSP and SRI can tell you where a script came from, but not what it is doing right now. Once a source is trusted, its behavior becomes invisible. Studies show that over 90% of whitelisted scripts in real-world CSP deployments have known bypasses or weaknesses.
This is why the PCI Council’s own eCommerce Guidance Taskforce, comprising more than 80 security experts, warns merchants not to rely on CSP or SRI for eSkimming defense. These static controls fail to detect or prevent data theft in real time.
The False Sense of Security
The most troubling aspect is that PCI DSS can reinforce this illusion. By referencing CSP and SRI as potential controls, merchants and even QSAs can mistakenly believe they have checked the box. But this approach confuses compliance artifacts for actual protection.
The truth is simple:
CSP and SRI can help with compliance.
They do not make you secure.
Attackers know this. They compromise the very vendors and content delivery networks merchants trust most. The browser, which executes every line of JavaScript, becomes the attack surface, and compliance tools that do not monitor runtime behavior leave it wide open.
The PCI Focus Problem: Payment Pages Alone Are Not Enough
PCI DSS’s focus on payment pages compounds the issue. Source Defense research, supported by findings from PFIs and industry partners, shows that most eSkimming campaigns begin upstream, long before a user reaches the payment page.
Attackers compromise marketing and analytics scripts on landing or product pages, injecting code that redirects customers to fake payment forms or intercepts data mid-session. In these cases, protecting the payment page is meaningless. The compromise happens long before checkout.
Compliance at checkout does not equal security across the customer journey.
The Behavior-Based Solution: Real Protection for a Dynamic Web
To close this gap, organizations must shift from trust-based controls to behavior-based ones. Source Defense’s behavioral enforcement technology represents this evolution. Instead of trying to predefine safe scripts, it continuously monitors and controls what scripts actually do in real time within the browser.
Scripts are dynamically sandboxed and categorized into isolation, monitoring, or blocking modes, ensuring that no unauthorized data leaves the page regardless of origin or whitelisting. This proactive defense not only meets but often exceeds PCI DSS 6.4.3 and 11.6.1 requirements by automating script inventory, authorization tracking, and behavioral auditing.
Behavior-based enforcement turns PCI compliance from a manual, reactive process into an automated, real-time protection model. It provides the evidence, not assertions that QSAs need to validate compliance while delivering genuine defense against client-side attacks.
The Takeaway: Compliance Is the Floor, Not the Ceiling
As eSkimming threats evolve, organizations must stop confusing passing the audit with being secure. CSP and SRI, though well intentioned, are relics of a simpler web and cannot stop modern browser-based attacks. The current PCI DSS guidance, focused too narrowly on the payment page and static controls, creates a false sense of security that benefits attackers more than defenders.
True eSkimming protection requires continuous behavioral monitoring of every script across the customer journey. Compliance is important, but it should be seen as the baseline, not the finish line.
For merchants, governance leaders, and QSAs alike, the question is no longer Do we comply, but Are we truly protected?
Source Defense helps ensure the answer is yes, with automated, behavior-based controls that secure every session, every script, and every customer interaction. Because when it comes to protecting your customers and your brand, one truth remains:
Trust is not a control. Behavior is.
PCI DSS 4.0 makes client-side security a priority.
Source Defense delivers a solution for 6.4.3 and 11.6.1 without adding a burden to your security teams.