by Source Defense
Every holiday season, attackers shop for the same thing your customers do: checkout pages.
According to Verizon’s 2024 Payment Security Report, over 7,000 merchant websites were analyzed and nearly 52,000 scripts were found running on payment pages, 40% directly touching payment or personal data. That’s a 50% increase in just one year.
This surge underscores what the PCI Council has long warned: the browser is now the most targeted point of compromise in digital commerce. As online traffic spikes, attackers target client-side code to steal customer data before it reaches your secure environment.
The Browser: The New Front Line
Most eCommerce breaches no longer start on your servers, they begin inside your customers’ browsers. Modern websites depend on analytics tags, personalization widgets, chatbots, and ad networks, all powered by third- and fourth-party JavaScript. These scripts create one of the largest and least-monitored attack surfaces in digital commerce.
Verizon’s analysis calls this a “fundamental weakness in modern website design” and warns that malicious scripts often persist for weeks before detection. Attackers no longer need to break into your network. They simply compromise a trusted script your page already loads.
What’s at Stake: Revenue and Reputation
A compromised checkout page doesn’t just steal data, it steals confidence. Slow performance, redirect loops, or a single browser warning can tank conversion rates. Nearly one in five shoppers abandon a purchase if a site feels insecure. Beyond lost sales, organizations risk regulatory fines and reputational damage under PCI DSS 4.0.1, GDPR, and state privacy laws.
PCI DSS 4.0.1: Raising the Bar on Browser Security
PCI DSS 4.0.1 shifts part of compliance into the browser itself. Two new requirements (6.4.3 and 11.6.1) mandate continuous visibility and control over scripts executing in consumers’ browsers:
- 6.4.3 – Inventory and authorize all scripts running on payment pages, verify their integrity, and justify their business purpose.
- 11.6.1 – Continuously monitor for unauthorized changes or tampering with payment page code.
These mandates close a long-standing gap in eCommerce security. As Coalfire explains in its Holistic Approach to Protecting Credit Card Payment Flows, PCI DSS 4.0.1 “brings preventive and detective controls directly to the client side” and requires merchants to stop unauthorized code as it executes in the consumer’s browser.
Why Traditional Tools Can’t See It
Web Application Firewalls, SIEMs, and intrusion detection systems all monitor traffic after it reaches your infrastructure. Magecart-style eSkimming occurs entirely in the browser, before data ever hits your secure environment. Without real-time visibility into what scripts are doing on the page, these attacks remain invisible until after the damage is done.
Building a Layered Defense: CSP, SRI, and Behavior-Based Controls
Content Security Policy (CSP) and Subresource Integrity (SRI) remain useful hygiene measures. They restrict what scripts can load and verify their authenticity, but both rely on static rules and hashes that can’t adapt to the dynamic, partner-driven nature of modern eCommerce. As the PCI Council and leading QSAs warn, these controls alone are insufficient and often introduce operational overhead or false confidence.
That’s why independent assessors now validate behavior-based defenses as a required complementary layer. In VikingCloud’s 2024 Technical Review of Source Defense Protect, the firm tested multiple attack scenarios and confirmed that Source Defense “effectively mitigated attacks specific to PCI DSS requirements 6.4.3 and 11.6.1” when properly configured. The lab observed real-time blocking of keylogging and supply-chain script injection attacks, all with just two lines of deployment code.
Coalfire’s assessment reached the same conclusion: the Source Defense platform “offers protective and detective technical controls that directly address the intent of PCI DSS 4.0” by actively managing script behavior and maintaining authorization evidence for QSA review.
Getting Ready for Peak Season
Before the holiday rush:
- Inventory every script on your checkout and login pages, and document its purpose.
- Audit third- and fourth-party vendors for how they handle updates and incidents.
- Deploy runtime protection that isolates or blocks unauthorized scripts in real time.
- Monitor continuously, not periodically—scripts can change daily.
- Integrate alerts into your SIEM, WAF, or SOC workflows to close visibility gaps.
Beyond Compliance: Protecting Trust at the Point of Entry
eSkimming security isn’t just about passing audits, it’s about protecting the experience that drives your brand. Coalfire summarized it best: “The most successful organizations see risk with clear eyes and manage it proactively. Not just for compliance, but for business resilience”.
As online volumes peak, the browser is part of your attack surface. Visibility, authorization, and real-time control at that layer are no longer optional, they’re compliance requirements and essential to protecting both customer data and customer confidence.
Learn how Source Defense helps organizations secure their checkout flows and meet PCI DSS 4.0.1 standards. Request a demo today.
Take the Next Step
Ready to see how Source Defense can protect your payment pages and simplify PCI DSS compliance?
In minutes, we’ll show you how our behavior-based security platform delivers real-time visibility into every script running on your site, blocks malicious activity before it happens, and keeps you aligned with PCI DSS requirements 6.4.3 and 11.6.1.
Protect customer data. Streamline compliance. Source Defense makes it simple to do both.
PCI DSS 4.0 makes client-side security a priority.
Source Defense delivers a solution for 6.4.3 and 11.6.1 without adding a burden to your security teams.