Events

Connect with us at the following upcoming events:

Conferences

April 16-17

CS5

San Diego, CA

April 28-30

EDUCAUSE Cybersecurity and Privacy Professionals Conference (CPPC)

Anaheim, CA

May 3-6

TPA 2026

Savannah, Georgia

Webinars

March 4

Decentralized and Vulnerable: Why Higher Ed Is the Perfect Target for Modern E-Skimming

1:00 pm - 2:00 pm CST

Many higher education institutions still haven’t addressed e-skimming or fully met the PCI DSS compliance requirements, while others believe their strengthened controls, such as CSP, SRI, and payment‑page monitoring, put them in a stronger position than they actually are. Attackers, however, haven’t stood still.

Modern e-skimming campaigns are engineered to bypass these defenses, leaving institutions unknowingly exposed across systems that often fall outside traditional PCI or security focus.

For higher education, this risk is magnified by the sheer diversity of online transaction paths: Tuition and fee payments, online bookstores, athletic ticketing, performing arts and campus events, alumni giving and donation platforms, and department-level microsites.

Each represents a separate entry point for attackers, often built by different teams, vendors, or third parties, and often sharing scripts across the broader digital ecosystem.

We’ll examine how modern campaigns exploit trusted services, abuse tag managers, and move upstream of checkout, creating blind spots that disproportionately affect decentralized environments like higher education.

We’ll cover:

  • Why e-skimming continues to accelerate, with dozens of active campaigns targeting tens of thousands of sites across multiple platforms & geographies
  • How attackers bypass CSP, SRI, & PCI DSS 4.0.1-aligned controls, including abuse of “trusted” services & allowlisted scripts
  • Why focusing only on the payment page misses real risk across the full path to checkout, including donation flows, ticketing, & account creation
  • The limits of iFrame hardening & payment outsourcing, & what responsibility remains with the institution
  • Practical ways to validate that controls actually prevent data exfiltration, not just detect changes after the fact

Learn where real risk exists today, why traditional approaches fall short, & how to move forward with confidence across every online payment & donation experience.