by Source Defense
Every holiday season brings a predictable surge in online activity, and attackers are ready for it. The 2025 holiday window has already shown an increase in client-side incidents, new eSkimming techniques, and renewed attention to PCI DSS 4.0.1 enforcement.
This summary captures the key findings from the recent Source Defense Holiday Threat Briefing, including active attack trends, compliance developments, and immediate actions security and compliance teams can take.
The Holiday Surge: Why Client-Side Attacks Spike
Attackers time their campaigns to match peak online traffic. During the fourth quarter, most web teams add new promotional tags, analytics scripts, and content integrations, increasing the number of third- and fourth-party scripts running in the browser. That expansion in code directly widens the attack surface.
eSkimmers use this opportunity to blend into trusted integrations, modifying legitimate scripts rather than introducing obviously malicious ones. One case shared in the briefing described attackers injecting data-capture code into a compromised CDN-hosted marketing pixel, allowing form data to be stolen without tripping server-side defenses.
Changing Tactics: How eSkimmers Are Blending In
Modern eSkimming campaigns rely on subtlety. Rather than calling new domains, attackers compromise code from trusted vendors and operate quietly within whitelisted sources. This makes them nearly invisible to static controls like Content Security Policy (CSP) or Subresource Integrity (SRI).
Examples highlighted in the session included:
- JavaScript injected through chat widgets or tag managers that silently logged keystrokes
- Fourth-party libraries introducing new functionality weeks after original approval
- Image tags and other “safe” elements being used to exfiltrate captured data
The common theme: attacks are now designed to look like normal business activity, and without behavioral monitoring in the browser, they often go undetected.
PCI DSS 4.0.1: Enforcement and Reality Check
Panelists discussed how PCI DSS 4.0.1 has changed the compliance landscape for websites handling payments, particularly around Requirements 6.4.3 and 11.6.1.
Requirement 6.4.3 requires organizations to:
- Maintain a complete inventory of all scripts on payment pages
- Authorize and justify each script’s business purpose
- Assure the integrity of each script on an ongoing basis
Requirement 11.6.1 focuses on detection:
- Monitor payment pages and headers for unauthorized changes at least weekly
- Alert on new or modified scripts that appear without authorization
- Demonstrate to assessors that tamper detection and alerting are functioning
Speakers stressed that these requirements are now actively enforced, and assessors expect clear, auditable evidence.
CSP and SRI: Helpful but Not Enough
While CSP and SRI have legitimate uses, they are not sufficient for dynamic, third-party-heavy environments. With dozens of scripts changing daily, teams struggle to maintain CSP whitelists and SRI hashes without breaking site functionality.
Many organizations quietly disable or relax these controls after deployment. During the briefing, multiple experts agreed that CSP and SRI can serve as supporting tools, but not as substitutes for continuous, behavior-based monitoring.
The Shift Toward Behavior-Based Protection
Panelists highlighted a growing adoption of behavior-based client-side protection—solutions that analyze what scripts actually do in the browser rather than just verifying their source.
This approach:
- Detects and blocks unauthorized behavior in real time
- Prevents keystroke logging and data exfiltration during live sessions
- Reduces false positives by focusing on behavioral intent, not just file integrity
Case studies presented during the webinar demonstrated that these systems align directly with PCI DSS 4.0.1 expectations while reducing operational overhead.
How Teams Are Implementing Controls Quickly
Even during the high-traffic holiday period, teams can make measurable progress within 30 days by following a structured plan:
- Discovery: Identify all scripts across the checkout process and confirm data access points.
- Assessment: Classify which scripts handle or touch sensitive information.
- Monitoring: Deploy client-side monitoring in observation mode to capture baseline activity.
- Control: Enable isolation or redaction for risky scripts.
- Reporting: Generate weekly evidence of header monitoring and script authorization for PCI documentation.
Speakers closed by emphasizing that success depends on collaboration across AppSec, Compliance, and Digital teams. The goal is visibility, accountability, and real-time control without slowing business operations.
The 2025 holiday season has reinforced one truth: attackers follow opportunity. As digital commerce peaks, so do attempts to steal data from the browser. With PCI DSS 4.0.1 now fully enforceable, organizations that can demonstrate continuous monitoring and control of client-side activity will be the ones best prepared for real security.
Watch the full Holiday 2025 Threat Briefing replay on the Source Defense website to see the data and examples discussed.
PCI DSS 4.0 makes client-side security a priority.
Source Defense delivers a solution for 6.4.3 and 11.6.1 without adding a burden to your security teams.