by Source Defense
Payment Service Providers occupy a uniquely influential position in the digital ecosystem. Merchants trust PSPs to secure transactions, handle sensitive data, and provide guidance on compliance and best practices. Yet as client-side attacks grow more sophisticated, many PSPs are still focused primarily on backend and payment-flow security.
That focus is no longer enough.
Supply chain attacks targeting third-party website scripts pose a direct risk to merchants, even when payment systems themselves remain uncompromised. PSPs must evolve their approach to education and partnership with merchants to reflect this reality.
Why Merchant Risk Extends Beyond the Payment Flow
Modern eSkimming attacks often bypass payment gateways entirely. Instead, attackers compromise scripts that load across merchant websites, capturing sensitive information by injecting fake forms, fake fields or redirecting consumers to domains under their control.
From the merchant’s perspective, the damage is the same – or worse. Data breaches, regulatory scrutiny, loss of customer trust, and reputational harm all occur regardless of whether payment infrastructure was technically breached.
PSPs cannot treat this as “out of scope,” and they can’t falsely guide merchants into a sense of security by stating that because they have hardened iFrames, sites are secure from eSkimming attacks.
Where PSPs Fall Short Today
Many PSPs continue to emphasize:
- Secure APIs and tokenization
- Backend transaction monitoring
- Hardened iFrames as a magic cure for eSkimming attacks
- Compliance checklists focused on server-side controls
While these measures remain important, they leave a major gap on the client side. Merchants often assume their PSP has addressed these risks – or at least warned them appropriately – when that is rarely the case.
What PSPs Should Be Doing in 2026
To truly protect merchants, PSPs must expand their responsibilities in several key areas:
- Education: Helping merchants understand that third-party scripts represent a real attack surface, even outside checkout pages
- Guidance: Recommending site wide client-side monitoring and behavioral controls as part of a complete security posture
- Alignment: Working to update compliance mandates and updating compliance guidance to reflect modern attack techniques
- Partnership: Integrating or endorsing solutions that provide full visibility and enforcement through behavioral based approaches
This is not about replacing existing controls. It’s about acknowledging that the browser has become a primary battleground.
Why This Matters to PSPs Themselves
As regulators and customers become more aware of client-side risk, PSPs will increasingly be scrutinized for the guidance they provide. Merchants look to PSPs as trusted advisors. Failing to address supply chain risk exposes not just merchants, but PSP brands as well.
The PSPs that lead in this space will differentiate themselves by offering comprehensive protection – not just payment processing.
PCI DSS 4.0 makes client-side security a priority.
Source Defense delivers a solution for 6.4.3 and 11.6.1 without adding a burden to your security teams.