by Source Defense
For years, organizations have treated eSkimming as a narrowly defined threat. The assumption was simple: attackers want credit card data, so they target checkout pages. This flawed and myopic understanding of the eSkimming attack surface, of the techniques, tactics and procedures used by attackers is mirrored in the guidance provided under PCI DSS 4.0.1 and it leaves the problem largely unaddressed as a result. Security investments followed that logic and guidance, focusing controls around payment forms while leaving the rest of the site relatively unguarded.
That assumption is dangerously outdated.
Modern eSkimming attacks rarely begin – or end – on the payment page. Attackers have adapted to stronger defenses and increased scrutiny around checkout flows by shifting their focus earlier in the customer journey. Instead of going after payment pages directly, they use their footprint on the infected site to redirect consumers to falsified payment forms or to domains under their control. They also harvest other forms of personal data upstream, where defenses are weaker and detection is unlikely.
Login pages, account registration forms, search fields, and newsletter sign-ups have become prime targets. These areas collect names, email addresses, phone numbers, addresses, credentials, and behavioral data that can be monetized just as effectively as payment details. In many cases, attackers never touch the checkout flow at all.
This evolution reflects a broader trend in cybercrime: attackers pursue the path of least resistance. Payment pages are often protected with additional monitoring, encryption, and compliance controls. Non-payment pages rarely receive the same attention, despite their ability to allow the attacker to redirect, inject fake forms or form fields, and despite the fact that those pages themselves handle other forms of sensitive data at scale.
The shift upstream also allows attackers to remain stealthy. By embedding malicious logic into third-party scripts that load across the site, attackers can siphon data gradually without triggering alarms. These scripts often appear legitimate, originate from trusted vendors, and behave normally most of the time. Malicious actions may only occur under specific conditions, making them even harder to detect.
Another factor driving this shift is the increasing value of personal data. Identity information fuels account takeovers, social engineering, credential stuffing, and resale markets. For attackers, stealing a user’s email and password can be just as, if not more, valuable than a single card transaction.
Organizations that focus solely on protecting payment pages are defending the wrong battlefield. The modern attack surface spans the entire website, and every script running across the site reflects a potential point of attack.
Effective defense requires full-site visibility and control. Security teams must understand not just which scripts are present, but how they interact with user data at every stage of the journey. Without that visibility, attackers will continue to exploit blind spots, quietly extracting data long before checkout defenses ever come into play.
eSkimming protection has never been and can no longer be seen as just about payment pages. It’s about site wide protection.
PCI DSS 4.0 makes client-side security a priority.
Source Defense delivers a solution for 6.4.3 and 11.6.1 without adding a burden to your security teams.