Closing the Security Gap: Protecting Retail Customers from Web Skimming

As digital commerce continues its meteoric rise, retailers face an urgent and growing threat: web skimming and client-side data leakage. These attacks, often invisible and deeply damaging, target sensitive customer data, jeopardizing trust, regulatory compliance, and revenue. In this blog, we explore the two critical threat vectors retailers must address:

• Malicious skimming scripts targeting customer payment data

• Data leakage introduced by third-party vendors and shadow scripts

We’ll also explain why traditional defenses like CSP and SRI are no longer sufficient—and how Jscrambler’s unified client-side protection suite offers a future-proof solution that aligns with PCI DSS v4 and beyond.

The rising threat: web skimming in retail

Web skimming, also known as Magecart-style attacks, involves the malicious injection of JavaScript into online stores. These scripts operate on the client side—inside the user’s browser—making traditional server-side defenses ineffective. These attacks silently capture sensitive data such as:

• Credit card numbers and CVCs (Card Verification Codes)

• Personally identifiable information (PII): social security number, address, e-mail address, full name, phone number, etc.

• Credentials and form field contents

The consequences are severe:

• Fraud & Chargebacks: Stolen card data fuels unauthorized purchases and downstream breaches.

• Reputational Harm: Data breaches erode customer trust and brand equity—often permanently.

• Compliance & Regulatory Exposure: Breaches trigger fines, investigations, and mandatory disclosures under PCI DSS, GDPR, and other frameworks.

Even worse, the retailer’s technology stack often enables these threats through insecure or unmonitored third-party scripts. Browser security refers to the set of technologies, practices, and features designed to protect users, data, and systems from threats that originate through or are delivered via web browsers. Since browsers are the primary interface for internet interaction, they are a frequent target for cyberattacks.

The good news is that many retailers are recognizing the issue and taking action. Jscrambler research recently conducted an analysis of the top 50 Retail companies, examining every website to determine if they were actively using Content Security Policies (CSPs) or a client-side protection agent to help mitigate script threats. From there, they assessed the website risk based on solution implementation across each page of the site. Ultimately, Jscrambler discovered that 48 percent of the top 50 relied on Content Security Policies (CSPs) to mitigate digital skimming risks.

While the idea of blocking non-trustworthy resources is sound, the manual aspects of this approach, however, are not. This is due to the sheer number of third-party scripts the team must sift through on a 24/7 basis. Even with those items that are successfully blocked, today’s sophisticated attacks can easily find other ways in.

The bottom line is that while recognizing an issue is vital, too many retail organizations are relying on solutions that cannot and will not provide a sufficient line of defense. This could spell trouble for many organizations. Of these 50 retail businesses, only 22 percent have recognized the need for more protection and have taken action by implementing a comprehensive client-side protection agent-based solution. Now it’s time for the others to follow their lead.

The overlooked risk: data leakage from third-party scripts

Beyond malicious attacks, retailers face passive but equally dangerous threats—data leakage through third-party vendors. Modern websites rely on dozens of external scripts for marketing, analytics, social media, and payment processing. This creates a sprawling client-side attack surface where even well-meaning tags can expose sensitive customer data.

Key risks include:

• Unauthorized tags collecting data without oversight

• Compromised vendor code used to exfiltrate information (supply chain vulnerabilities)

• Non-transparent data collection practices violate GDPR, CCPA, and other laws and regulations
  
  

Sensitive data at risk includes:

• Behavioral and interaction data

• Emails, phone numbers, and shipping details

• Payment information and form inputs
  
  

Without real-time visibility and control, retailers may be unaware of what customer data is accessed or by whom.

PCI DSS v4: a new compliance mandate for client-side security

PCI DSS v4 raises the bar for protecting customer payment data by emphasizing client-side security and continuous monitoring. Specifically, requirements 6.4.3 and 11.6.1 demand:

• Maintaining a script inventory

• Justifying authorized scripts

• Detecting unauthorized changes

• Monitoring HTTP headers and alerting on anomalies
  
  

CSP and SRI cannot fully address these requirements due to their static and manual nature. Dynamic content, frequent script updates, and third-party dependencies make these tools impractical for large-scale environments. Retailers struggle to remain compliant while staying agile—unless they adopt purpose-built client-side security solutions.

Why traditional defenses like CSP and SRI fall short

While Content Security Policy (CSP) and Subresource Integrity (SRI) are often deployed to reduce client-side risk, they have significant limitations. CSP aims to control which domains can run scripts, while SRI ensures that loaded resources haven't been tampered with. However:

• CSPs can be bypassed via misconfigurations or wildcard policies

• SRI fails when third-party scripts change frequently, requiring constant hash updates

• Neither offers real-time visibility, enforcement, or alerting

• Manual implementation of inventory and audit processes introduces errors and overhead

The Unified Solution: Jscrambler’s Client-Side Protection Suite

Retailers need a more scalable and automated approach to their operations. Jscrambler offers a comprehensive client-side protection platform designed to detect, prevent, and respond to web skimming and data leakage threats in real time.

Jscrambler’s platform includes:

• Webpage Integrity:
  Gain full visibility and control over all scripts on your site. Enforce behavioral rules, monitor third-party activity, and prevent data exfiltration before it occurs. Fully supports PCI DSS v4 compliance (6.4.3 & 11.6.1).

• Data Fencing:
  Apply granular controls to limit which scripts can access sensitive form fields and customer data. Prevent credential theft and unauthorized data capture.

• Script Vetting and Onboarding:
  Easily audit, justify, and document script usage. Reduce manual effort and human error with automated observability and rules enforcement.

• Real-Time Alerts and Policies:
  Get instant alerts on unauthorized script changes or data access attempts, and take immediate action with customizable policies.

• Code Integrity & Protection:
  Protect first-party scripts with advanced obfuscation, anti-tampering, and runtime self-defense mechanisms to prevent skimmer injection.

•  Iframe Integrity for PSPs:
  Protect embedded payment iframes from overlay, hijacking, and formjacking attacks—ensuring secure checkout for every transaction.

Why it matters now

The modern retail experience depends on a complex digital ecosystem of third-party scripts and integrations. But this complexity shouldn’t come at the cost of security.

With PCI DSS v4 enforcement on the horizon and web skimming attacks becoming increasingly sophisticated, retailers must move beyond outdated defenses. Only comprehensive client-side protection can provide the visibility, control, and automation needed to secure customer data and ensure compliance. Learn how Jscrambler can help your organization meet PCI DSS v4 and stay one step ahead of evolving threats. Discover Jscrambler’s Client-Side Protection now.