Digital Skimming: The Definitive Guide for 2025

Money has migrated from the physical to the digital. It’s moved from bank branches and brick-and-mortar stores to online banking and E-Commerce. Criminals have migrated, too, meaning digital heists have replaced real-world hold-ups.

In the modern economy, data equals money. Worryingly, that makes almost every business, regardless of size, turnover, or industry sector, a target for digital skimming – and digital skimmers.

Every business holds data about customers, staff, or partners. Think: customer lists, payroll data and supplier bank details. Sensitive card data (card numbers, expiry date,s and 3-digit security codes) is definitely where data equals money. No wonder card fraud is a $48 billion a year problem, set to double to $100 billion by 2027.

With cybercrime and cybercriminals showing no sign of let up. And two new PCI DSS requirements around payment pages coming into force from 1 April 2025. We look at how businesses can detect and defend against the scourge of digital skimming and stay safe online.

• What is Digital Skimming?

• How Much of a Problem is Digital Skimming?

• What is the Business Impact of Digital Skimming?

• How Does Digital Skimming Work?

• Which Businesses Are the Main Targets For Digital Skimming

• How Do Magecart Attacks Relate to Digital Skimming?

• How Did Digital Skimming Get So Big?

• How Do Businesses Protect Against Digital Skimming Attacks?

• What Are the Digital Skimming Requirements in PCI DSS v4

• How Does Jscrambler Identify the Presence of Digital Skimming?

What is Digital Skimming?

Digital skimming attacks involve stealing sensitive data inputted by users into web forms. Frequently this is payment data from online checkout pages, although it also includes personally identifiable information, or PII for short, from other web forms.

Digital skimming goes by many names, including e-skimming, data skimming, and formjacking. Then there are the more specific terms of JavaScript attacks or Magecart attacks, which hint at how digital skimmers works.

In summary, the modus operandi of a digital skimming attack is similar. Criminals exploit vulnerabilities in a website’s code or infrastructure to harvest data. Digital skimming attacks are hard to detect as the payment process is unaffected. The customer gets their goods or service and the merchant gets paid. Both parties are unaware that a compromise may have occurred. 

How Much of a Problem is Digital Skimming?

Digital skimming is a big, bad problem. Big in terms of the size of the problem. And bad in terms of the likelihood and impact to organizations and end-customers or users.

Some of the biggest, worst data breaches in 2024 include telecoms giant AT&T which confirmed in July 2024 that criminals had unlawfully accessed “nearly all” of its customers’ call and text message data for a 6-month period in 2022. This impacts not only around 110 million customers but also those they interact with.

A June 2024 cyberattack on UK pathology lab Synnovis, a blood and tissue testing lab for hospitals and health services, saw the theft of data related to 300 million patient interactions. It disrupted patient service in London for weeks, leading to thousands of operations being postponed and the National Health Service declared a critical incident.

Elsewhere, around 165 companies were believed to be impacted when cloud storage company Snowflake was hacked. And 560 million Ticketmaster customers had their personal data stolen by cybercriminals, who threatened to publish this on the dark web. Digital skimming attacks show no signs of letup.

What is the Business Impact of Digital Skimming?

The full costs of a data breach to a business could be massive. These include the direct costs of lost revenue, incident response, fines, and breach notification.

For example, US health insurance firm Kaiser disclosed a data breach after online tracking technologies led to the private health information of 13.4 million patients being shared with tech companies and advertisers. The US Postal Service also fell foul of using tracking pixels on its website, potentially exposing the details of 62 million users.

There are the indirect costs associated with a digital skimming attack, namely the loss of brand value, reputation, and trust. Prescriptions provider MediSecure learned this the hard way when it declared insolvency just weeks after confirming it was the victim of a ransomware data breach, affecting nearly 13 million people in Australia. 

How Does Digital Skimming Work?

In general, there are four stages in a digital skimming attack:

1. Initial breach

Criminals gain access to the source code of the server of an online store either as a first-party attack or by compromising a third party. Often this is by exploiting software vulnerabilities, deploying malware, or using stolen (or phished) credentials.

2. Code injection

Criminals inject malicious code to compromise payment pages. They evolve their methods. And tailor them depending on whether payment forms appear directly on pages or are embedded using an iFrame.

JavaScript attacks, as the name suggests, target the programming language used by more than 98% of websites to create interactive pages. 

3. Data exfiltration

The harvesting of data occurs when consumers enter their payment details to complete their purchases on compromised payment pages. Or enter personal data on online forms. The malicious code covertly skims and collects the information, often encrypting it, before sending it to the attacker’s remote server.

4. Monetization

Criminals monetize stolen data by using it to make unauthorized, fraudulent purchases for goods to re-sell for cash. Or by selling the data to other criminals.

Which Businesses Are the Main Targets for Digital Skimming

In short, every business is a target. Sadly, criminals aren’t choosy about the size or nature of your business. Whether you’re large, small, or anywhere in between. Whether you’re a retailer, non-profit organization, charity, educational institution or government agency makes no difference to criminals.

Nor are they choosy about the nature of your customers. They could be consumers, other businesses, large corporations, multinationals, or even government departments. 

  

Card data is card data. PII (personally identifiable information) is PII. Criminals want it to sell on underground forums. Or to monetize it themselves by creating fake identities or fake cards to commit crimes.

The most common type of data stolen or compromised in 2024 was customer PII at 48%, according to IBM Security’s Cost of Data Breach Report 2024. However, the most lucrative PII to steal was employee PII, including tax ID numbers, e-mail and home addresses, because it can be used in so many more ways.

Generally, if data has value to you or your customers. Then, you can almost guarantee it has value to criminals, so protect it.

How Do Magecart Attacks Relate to Digital Skimming?

Magecart attacks are named after ‘Magento’, the primary open-source e-commerce platform, and shopping ‘cart’. Magecart also refers to the criminal group active since 2015 carrying out such attacks.

In a Magecart attack, criminals inject the digital skimmer through malicious JavaScript code. This actively monitors the payment page and steals sensitive card data whenever a user enters it into a form. This is then sent to servers controlled by the attackers.

Magecart attacks typically attack the payment pages of e-commerce websites either as a first-party attack or a third-party attack.

• First-party attack – criminals access the victim’s website and directly place the digital skimmer on the payment page. Examples include the 2023 attack on DNA testing company 23andMe which leaked nearly 7 million user records and the October 2024 attack on the internet archive Wayback Machine.

• Third-party attack – criminals inject malicious code via a third-party provider that the victim organization is using. Also known as a supply chain attack, it is particularly pernicious as modern websites rely on 13 different pieces of third-party code on average, but up to 35, to run functionality on web pages. Each of these could present attackers with a way-in. 

Nearly every respondent to a recent Jscrambler survey (97%) said they knew third-party tags collected sensitive or private data. Half (49%) admitted that these tags had collected data there weren’t supposed to in the last 12 months. And 26% that sensitive data had been leaked to another organization.

How Did Digital Skimming Get So Big?

The Internet was designed for sharing and collaboration not necessarily banking, shopping, and telemedicine. 

How web applications are built has also changed over time. The business intelligence has moved from web servers, owned and managed by companies, into the consumer web browser, powered by JavaScript, distributed APIs, and microservices.

As a result, any JavaScript running on a web page can access all data entered into form fields on that page. With no separation between different parts of the application, this makes data susceptible to attack.

How Do Businesses Protect Against Digital Skimming Attacks?

The first step in keeping your customers’ data and business safe is understanding the threats out there. Specifically, digital skimming and web app attacks, malware and unauthorized access.

Next, put in place controls to prevent unauthorized access to sensitive data. Don’t underestimate the importance and effectiveness of business-as-usual security. That’s installing and maintaining firewalls, strong password and unique logins for each person with computer access. But also technologies like encryption, tokenization and anti-virus.

Also, conduct regular security assessments, monitoring and third-party due diligence, plus deploy secure code and adhere to payment security standards (PCI DSS).

What Are the Digital Skimming Requirements in PCI DSS v4

Given the ubiquity and innate security vulnerabilities of JavaScript on payment pages, the PCI Security Standard Council (PCI SSC) published an updated version PCI Data Security Standard (PCI DSS) in March 2022. 

Version 4.0 of the PCI DSS contains two new requirements to protect against and detect digital skimming attacks on payment pages. These will be requirements from 01 April 2025.

• Requirement 6.4.3 – the first new PCI requirement is designed to minimize the attack surface and manage all JavaScript present in the payment page. 

• Requirement 11.6.1 – the second new PCI requirement aims to detect tampering or unauthorized changes to the payment page and generate an alert when changes are detected.

Jscrambler's free PCI DSS 4.0 compliance tool helps businesses that accept card payments achieve frictionless compliance with requirements 6.4.3 and 11.6.1 of PCD DSS v4.0, plus helps PCI Qualified Security Assessors (QSAs) to validate compliance.

How Does Jscrambler Identify the Presence of Digital Skimming?

Jscrambler addresses both new PCI requirements (prevention and detection) concerning attacks on payment pages. 

What’s more, as the payment page is likely to include other JavaScript libraries, Jscrambler provides a smoother and easier way to manage the integrity of third-party code, compared to Content Security Policy (CSP) and Subresource Integrity (SRI).

Features include:

1. First-party code hardening and obfuscation

Obfuscation and protection of the first-party code that the payment service providers supply to merchants, further enhance the defense against tampering with payment pages.

2. Webpage inventory 

Complete visibility of every script and network request on your website. Simplifies the identification of malicious client-side behavior and vetting of resources.

3. Third-party management

Simple onboarding and vetting of third-party scripts, with full observability of each script and a powerful rules engine that can be used to control its behavior.

4. User data management

Dashboard with details of how user data is being handled on the client-side, with insights into possible data leakage.

5. Webpage threat mitigation

Powerful and granular rules engine that blocks any script in real-time, if it exhibits malicious or prohibited behavior (e.g. digital skimming, DOM tampering and data leakage).

Prevent Digital Skimming with Jscrambler

Feel free to connect with our client-side security experts to try our solutions to prevent digital skimming attacks.