by Source Defense
Merchant acquirers sit at the center of the digital payments ecosystem. You manage risk across tens of thousands of merchants, interface with the card brands, and carry reputational exposure when fraud trends spike.
Today, one of the most persistent and under-controlled risks in your merchant portfolio is eSkimming. The good news is that unlike any other issue you’ve ever faced – there is a solution to the eSkimming problem which eliminates the need for merchants to individually adopt, deploy, manage and report on compliance – a solution from Source Defense which puts the power completely in your hands as an acquirer so you can take control without any merchant holdup.
The Risk Your Merchants Introduce and Why It Matters to You
eSkimming, also known as Magecart or digital skimming, targets the client side of the website – the JavaScript running in the consumer’s browser. Attackers inject malicious code into first- or third-party scripts and steal payment card data at the point of input, before it ever reaches the merchant’s server.
Verizon’s 2024 Payment Security Report, produced in partnership with Source Defense, highlighted the explosive growth of third- and fourth-party scripts across ecommerce sites and the associated blind spot in client-side security. The average payment page contains dozens of scripts, many of which access sensitive data.
For acquirers, this creates a systemic exposure:
- Fraud losses and chargeback pressure
- Card brand scrutiny
- Portfolio-level compliance gaps
- Increased reporting and remediation costs
- Brand damage by association
PCI DSS 4.0.1 requirements 6.4.3 and 11.6.1 now explicitly mandate that merchants of all levels implement eSkimming controls – from script inventory, to authorization, to tamper detection and rapid response or, better yet, full on prevention. Yet the majority of merchants (90+% or higher) – especially Levels 3 and 4 – remain unprepared.
Waiting for tens of thousands of merchants in your portfolio to individually solve this problem is not a strategy. It is a liability and a recipe for disaster.
A Portfolio-Level Solution – Not a Merchant-by-Merchant Project
The fastest way to reduce eSkimming risk across your ecosystem is not to chase individual merchants. It is to address the problem at the acquiring level.
Source Defense enables merchant acquirers to:
- Deploy client-side protections across entire merchant portfolios
- Standardize script authorization and monitoring controls
- Gain macro-level visibility into client-side risk exposure
- Generate compliance reporting aligned to PCI DSS 4.0.1
- Demonstrate proactive fraud prevention leadership to the card brands
Instead of waiting years for organic adoption, acquirers can drive risk reduction virtually overnight.
Why Source Defense – And Why Now
Source Defense pioneered client-side security in 2016 and has played an active role in shaping PCI DSS 4.0.1 requirements as a Principal Participating Organization with the PCI Council and as a member of the PCI Board of Advisors .
The platform:
- Is the only one to offer rapid deployment options for Merchant Acquirers and a portfolio level view into merchant risk
- Uses patented, behavior-based JavaScript sandboxing to isolate and control scripts in real time
- Automatically inventories, authorizes, and monitors payment page scripts
- Supports PCI DSS 4.0.1 requirements 6.4.3 and 11.6.1
- Has been reviewed by leading QSACs including Coalfire and VikingCloud
Beyond technology, Source Defense is working directly with Mastercard through the Mastercard Start Path Security Solutions program to combat eSkimming globally.
Mastercard has identified eSkimming as a priority fraud vector and is actively collaborating with Source Defense to increase ecosystem-wide visibility and prevention. The fastest path to impact runs through merchant acquirers.
Strategic Advantage for Acquirers
Working with Source Defense allows you to:
- Reduce Fraud at the Source
Protect your entire portfolio from eSkimming risk – before data exfiltration occurs. - Strengthen Card Brand Relationships
Demonstrate proactive portfolio-level risk management aligned with Mastercard’s fraud mitigation vision. - Improve Compliance Oversight
Gain centralized visibility into merchant client-side controls, reducing audit friction and reporting complexity. - Differentiate in a Competitive Market
Offer embedded eSkimming protection as a value-added capability for merchants as well as a potential revenue source for your organization. - Mitigate Financial Exposure
Portfolio-level protection reduces cumulative exposure.
The Reality: This Risk Will Not Self-Correct
Our 2025 eSkimming Landscape research documented more than 90 distinct campaigns targeting thousands of ecommerce sites globally. Attackers now weaponize Google Tag Manager, abuse trusted cloud services, inject double-entry payment overlays, and bypass static controls.
This is not a fringe threat. It is industrialized.
Acquirers who wait for merchant adoption will continue to absorb downstream risk.
Acquirers who lead can materially reduce fraud across their ecosystems.
Let’s Have a Strategic Conversation
If you are responsible for fraud, compliance, portfolio risk, or card brand reporting, this is the moment to move from reactive remediation to proactive prevention.
Engage Source Defense for a strategic-level discussion and demonstration of how client-side security can be deployed across your entire merchant ecosystem.
Contact our team directly at info@sourcedefense.com to schedule a conversation. Together with Mastercard and the broader PCI community, we are working to eradicate eSkimming. The fastest and most scalable way to do that is through partnerships with merchant acquirers.
Now is the time to act.
PCI DSS 4.0 makes client-side security a priority.
Source Defense delivers a solution for 6.4.3 and 11.6.1 without adding a burden to your security teams.