Strategies for Protecting University Research Funds

Article E-Skimming

February 3, 2026

University Research Funds

Universities use policies, approvals, and layered financial controls to safeguard their research funding. Despite these measures, research funds remain at risk since transactions are handled through web browsers, which are often targeted by cyber attackers.

Various types of payments, such as conference registrations, lab service fees, continuing education connected to grant-funded centers, and donations to research initiatives, are frequently processed online.

If a payment page is compromised, the consequences extend far beyond simple fraud; institutions must manage incident response, reputational damage, and difficult discussions about how the breach occurred, all in an environment with limited resources.

A significant challenge arises from risks in the client-side supply chain. Third-party scripts, tag managers, and quick web updates can introduce vulnerabilities that traditional security controls might not detect.

In this article, we examine the current nature of these risks, outline the requirements that PCI DSS asks teams to demonstrate, and present a practical approach to protecting research-related revenue streams without creating excessive operational overhead.

Why Research Dollars Are a Tempting Target

Higher ed payments are decentralized by nature. Research programs and their supporting sites often span:

  • Multiple departments and subdomains
  • A mix of centrally managed and locally managed web properties
  • Third-party platforms for events, donations, and program services
  • A long list of analytics, accessibility, chat, marketing, and payment-related scripts

That final item is particularly notable, as it often attracts attention from malicious actors.

Client-side attacks like Magecart and e-skimming work by injecting or modifying scripts that run in a user’s browser. If attackers can influence what runs on the page, they can skim payment data in real time or trick users into entering it into a convincing fake form.

What Modern E-Skimming Actually Looks Like

If you think skimming is just a strange new script tag, it’s time to rethink that. Attackers now use trusted tools like Google Tag Manager (GTM), and the threats go beyond simple field-skimming malware, including:

  • Double-entry attacks
    Attackers overlay a fake payment form on top of a legitimate checkout flow. The user thinks they are paying, but they are handing data to the attacker first. These attacks can bypass approaches that only protect a payment iframe.
  • Silent Skimming
    In this scenario, there are no visible signs of interference; user data is discreetly collected as it is entered and may be stored and transmitted later using methods designed to avoid basic detection mechanisms.
  • First-party trust exploitation
    Attackers are increasingly targeting first-party scripts because many security solutions and protocols tend to assume that resources originating from the organization’s own domain are inherently trustworthy.

If your research program depends on websites that receive payments or donations, remember: the browser is an essential part of your payment system, even if it isn’t shown in your network diagram.

The PCI Angle: What Teams Are Expected to Control and Prove

PCI DSS 4.0.1 brought sharper expectations for e-commerce payment page security, specifically around scripts and page integrity. Two requirements matter most for client-side risk:

  • Requirement 6.4.3: Maintain visibility and control over scripts on payment pages, including an inventory, documented justification, and assurance that scripts are authorized.
  • Requirement 11.6.1: Detect and respond to changes or tampering on payment pages so unauthorized modifications do not persist unnoticed.

Auditors require consistent processes and clear evidence, not just assurances. For many higher ed teams, lacking automation means demonstrating control over scripts becomes a tedious task of maintaining spreadsheets and screenshots.

A Practical Playbook for Protecting Research-related Payment Flows

The pragmatic approach outlined below aligns with how modern skimmers operate and what compliance teams typically need to show.

  • Pinpoint where research funding interacts with browsers
    Start with a simple inventory:

    • Sites that accept payments tied to research programs (events, services, fees)
    • Donation and giving pages tied to research initiatives
    • Third-party platforms embedded into university pages (payment widgets, forms, iframes)

    Attackers do not always wait for the “payment page.” They target the steps before it (cart, registration, account creation) and use the broader journey to stage attacks.

  • Reduce script sprawl (especially in tag managers)
    If GTM is your “single pane of glass,” attackers see it as a single point of failure. Tighten governance:

    • Restrict who can publish container changes
    • Require approvals and documented business justification for new tags
    • Review and remove unused tags on a schedule

    This is not just hygiene. Tag managers have become a popular entry point for intrusion because they are powerful, widely trusted, and often lightly governed.

  • Build and maintain a script inventory with justification
    What “good” looks like in practice:

    • A living inventory of scripts present on in-scope pages
    • Documented business purpose and owner for each script
    • A defined review cadence (and evidence it happens)

    If you cannot answer “What is this script for, and who approved it?” you do not have control. You have hope.

  • Monitor for change, not just presence
    Modern attacks are often happy to tweak an existing script, rather than create a new one. Change detection needs to identify and alert on:

    • New scripts
    • Modified scripts
    • Unexpected network destinations contacted by scripts
    • Suspicious behavior on the page

    This is the spirit of payment page change-and-tamper detection: you need to know when something changes, and you need to know quickly.

  • Make incident response real for browser-based compromise
    Treat client-side compromise as its own scenario:

    • Define what triggers investigation (alerts, anomalies, third-party notifications)
    • Pre-assign responsibilities across web, security, compliance, and treasury
    • Run tabletop exercises at least annually

    When the problem shows up as “donors are calling about fraud,” it is too late to debate who owns the web layer.

  • Centralize evidence so you are not scrambling before assessment time
    PCI compliance is difficult enough without turning evidence gathering into a scavenger hunt. Centralize:

    • Script inventories and approvals
    • Monitoring alerts and investigation notes
    • Remediation records
    • Change logs for web properties and tag managers

    The goal is boring on purpose: when auditors ask, you can answer with artifacts, not archaeology.

  • Use defense-in-depth controls, but do not pretend they are a complete solution
    Controls like SRI and CSP are useful. They can reduce risk and make certain attack paths harder. At the same time, attackers increasingly abuse trusted sources and services that may already be allowlisted. Use CSP and SRI as one layer, but pair them with monitoring that can catch abuse of “trusted” channels.

Where ScriptSafe Fits

ScriptSafe helps teams close the client-side visibility and oversight gap without adding a pile of manual work.

For institutions trying to protect research funding, the value is straightforward:

  • Visibility into scripts running on payment-related and donation pages
  • Continuous monitoring and alerting for unauthorized changes
  • Stronger control over what is allowed to execute in the browser
  • Cleaner evidence to support PCI requirements tied to script governance and payment page integrity

In other words: fewer blind spots in the browser, faster detection of sketchy changes, and fewer surprises when someone asks, “How do you know your payment pages are not running unauthorized code?”

Key Takeaways

  • Research funding is exposed anywhere your institution collects payments or donations through web experiences, and attackers increasingly target the browser.
  • Skimming techniques now include overlays, silent background harvesting, and abuse of trusted tools like tag managers.
  • PCI expectations for e-commerce payment page security center on controlling scripts and detecting tampering.
  • ScriptSafe can reduce the manual burden by providing monitoring, visibility, and control aligned to those expectations.

If you need clearer visibility into what is running on your payment-related pages and a cleaner path to demonstrating control for PCI, contact us to request a free ScriptSafe demo or get started.

Request a Demo

Share

About the Author
CampusGuard Logo

CampusGuard Marketing

Related Content

Article

Protecting Research Integrity Through Awareness Training

Protect your institution’s research from cyber threats. Learn how awareness training helps recognize insider risks, safeguard sensitive data, & maintain the integrity of cutting-edge academic discoveries.

Online Training
Prevent Research-Driven Attacks about the Protecting Research Integrity Through Awareness Training
Checklists and Templates

Protecting Higher Education: A Complete Guide to E-Skimming Defense

Download Protecting Higher Education: A Complete Guide to E-Skimming Defense Guide & Checklist. Download Now!

E-Skimming
Download the Guide about the Protecting Higher Education: A Complete Guide to E-Skimming Defense
Article

PCI Guidance for SAQ A Merchants on E-Skimming Attacks

If you’re an SAQ A merchant, we have a summary of what is found in the PCI Council's guidance regarding requirements 6.4.3 & 11.6.1. Learn more!

PCI DSS
PCI Guidance for SAQ A Merchants about the PCI Guidance for SAQ A Merchants on E-Skimming Attacks