Many institutions believe they’ve addressed e-skimming. Some have invested in CSP, SRI, and payment-page monitoring. Few realize how far attackers have advanced beyond those defenses.
This presentation examines how modern e-skimming campaigns are designed to evade the controls institutions rely on most, exploiting trusted services, hijacking tag managers, and striking well before checkout.
In decentralized environments like higher education, the blind spots created by these tactics are wide, and the exposure is rarely caught by traditional PCI or security programs.
Key topics covered:
- Why e-skimming continues to accelerate, with dozens of active campaigns targeting tens of thousands of sites across multiple platforms & geographies
- How attackers bypass CSP, SRI, & PCI DSS 4.0.1-aligned controls, including abuse of “trusted” services & allowlisted scripts
- Why focusing only on the payment page misses real risk across the full path to checkout, including donation flows, ticketing, & account creation
- The limits of iFrame hardening & payment outsourcing, & what responsibility remains with the institution
- Practical ways to validate that controls actually prevent data exfiltration, not just detect changes after the fact
Speaker:
Steve Ward
CMO
Source Defense
Stop Attacks Before They Reach Your Customers
ScriptSafe protects against client-side threats, including keylogging, formjacking, e-skimming, and Magecart, by extending your security coverage from the server all the way to the browser. It also helps you meet PCI DSS, GDPR, and CCPA requirements by blocking third-party scripts from accessing or storing sensitive data on your site.
Want to see ScriptSafe in action?
Request a demo today!
