by Source Defense
We closed November with a new milestone: 1.14 billion protected pageviews across the global brands that rely on Source Defense. It’s a strong month in general, but it also reflects what happens when holiday traffic and modern eCommerce complexity collide. More users in checkout, more third-party code executing in the browser, more opportunities for attackers to slip in unnoticed.
This time of year is when eSkimming activity typically rises. Retailers push new features and promotions into production, marketing teams add and update scripts, and attackers know there’s a larger pool of consumers entering payment and personal data. It’s the moment when eSkimming protections either work or they don’t.
The scale of what we protected in November reinforces why our approach is needed. Third and fourth-party scripts remain one of the most under-managed parts of the modern web stack. Verizon and Source Defense’s data shows more than 40 percent of observed scripts on payment pages come from these external partners, with thousands of them accessing PII, payment data, or credential fields that should never be exposed.. This is the surface attackers target, especially during heavy seasonal traffic.
The scale of what we protected in November reinforces why our approach is needed. Third and fourth-party scripts remain one of the most under-managed parts of the modern web stack. Verizon’s data shows more than 40 percent of observed scripts on payment pages come from these external partners, with thousands of them accessing PII, payment data, or credential fields that should never be exposed at the browser level. This is the surface attackers target, especially during heavy seasonal traffic.
Our behavior-based model prevented malicious and unauthorized script behavior in real time without interfering with checkout flow. This is a critical distinction from traditional approaches like CSP or SRI. Those options are static, brittle, and difficult to maintain. They can help with parts of PCI DSS, but they rarely hold up under dynamic, high-traffic site changes. Coalfire and VikingCloud reached the same conclusion in their independent reviews: Source Defense stops keylogging, script injection, DOM manipulation, and unauthorized data access attempts before they lead to theft or tampering.
This November also served as one of the first major peak-traffic periods under full enforcement of PCI DSS 4.0.1. Requirements 6.4.3 and 11.6.1 mandate full inventory, authorization, integrity checks, and ongoing monitoring of every script running on payment pages. These controls are now table stakes. Our platform was designed from the ground up to support these requirements with automated inventory, continuous behavior monitoring, policy enforcement, and push-button reporting that simplifies audit work for both merchants and QSAs.
The 1.14 billion protected pageviews are a proof point of something we’ve been building toward since 2016. Source Defense created the eSkimming security category, helped shape the PCI DSS requirements, works with more than 1,000 of the world’s leading brands and countless more to close a gap that server-side tools cannot solve. November just showed the scale of that work in action.
If you want a readout on what ran in your users’ browsers during the holiday rush or how many third and fourth-party scripts touched sensitive data fields, we can run a quick assessment and walk through the findings.
Request a demo or talk with our team today.
PCI DSS 4.0 makes client-side security a priority.
Source Defense delivers a solution for 6.4.3 and 11.6.1 without adding a burden to your security teams.