Magecart is a class of client-side attack in which malicious JavaScript runs inside a user's browser, silently capturing payment card data as it is entered and transmitting it to an attacker-controlled server. The attack happens entirely within the browser environment, after the page has loaded and before the transaction reaches the payment processor. Server-side security tools, WAFs, and network inspection cannot observe it because the data never leaves the browser in a form they intercept.
The term originated with a specific threat group documented from 2016 onward. It now describes the wider attack class: any skimming attack that operates at the browser layer, whether through direct script injection, supply-chain compromise of a trusted vendor, or modification of a tag manager payload. The mechanism is the same regardless of the entry point: malicious code reads form field values and exfiltrates them before submission.
IBM's 2024 Cost of a Data Breach Report puts the global average breach cost at USD 4.88 million. Verizon's 2024 Data Breach Investigations Report lists web application attacks among the three most common confirmed breach patterns in the retail sector. PCI DSS 4.0.1 requirements 6.4.3 and 11.6.1, mandatory since 31 March 2025, were written specifically to address the Magecart attack class through script inventory, authorization governance, and runtime change detection.
The challenge for security teams is not awareness. It is selecting a platform with the detection architecture to catch a real Magecart attack. This review evaluates five client-side security platforms against the detection requirements of a practical Magecart threat model.
What is Magecart? Magecart is a client-side attack technique in which malicious JavaScript is injected into a website's browser execution environment to capture payment card data from form fields before it reaches the payment processor. The code runs inside the browser, invisible to server-side monitoring, WAFs, and network inspection tools. Modern Magecart attacks are delivered via supply-chain compromise of trusted vendor scripts, not only direct injection.
What Magecart Detection Actually Requires
Quick answer: Three capabilities separate genuine Magecart detection from compliance-grade script monitoring: real-user session coverage across the full purchase journey (not just checkout), behavioural deviation detection at the script level, and IR-grade evidence archival that records what was running in the browser at the time of the attack. A platform that lacks any one of these will miss categories of active attack.
Full-purchase-journey coverage. The Information Commissioner's Office enforcement action against British Airways found that approximately 500,000 customers were affected over a 15-day period in 2018 by a browser-layer script attack. Modern Magecart payloads activate on product and cart pages, not only the checkout step, because purchase-intent signals and preliminary form interactions begin earlier in the session. A platform that covers only the payment page misses a significant portion of the current attack surface.
Real-user session monitoring. Magecart payloads are increasingly built to evade periodic and synthetic scanning. Common evasion techniques include time-limited activation (the payload runs only during specific hours), geo-targeting (the code activates only for users in particular countries), and session-fingerprint detection (the payload suppresses itself when it detects bot-like behaviour). A platform that scans on a schedule, from a crawler, or using synthetic sessions is specifically designed around by these techniques. Real-user session monitoring has no detection gap because the attack runs in the first real session where the compromised version is active.
Behavioural deviation detection. Supply-chain Magecart attacks arrive via trusted vendor scripts. A compromised CDN-served vendor script may carry a new, legitimate-looking hash from an authorized origin. Hash-only monitoring does not flag this attack because the origin and delivery channel are both permitted. Behavioural deviation detection establishes a baseline of what each script does at runtime (DOM element reads, form field access, outbound network destinations, dynamic imports) and flags changes in behaviour regardless of whether the hash or origin looks normal.
IR-grade evidence archival. Card network forensics and data protection regulators require documentation of what was running in the browser during a confirmed compromise, which sessions were affected, and what data was in scope. Platforms that archive deobfuscated script payloads with per-session timestamps can reconstruct a specific incident from the evidence record. Platforms that retain only alert metadata and change notifications cannot answer those questions.
The Platforms
cside
Best for: eCommerce security teams that need full-session Magecart detection across the complete purchase journey, with QSA-validated PCI DSS compliance evidence and IR-grade payload archival under a single platform.
cside monitors every real user session from page load through transaction completion, covering product pages, cart pages, and checkout. The platform detects script changes across five categories: URL, hash, behavioural, execution-path, and destination. Behavioural deviation detection establishes a runtime baseline for each third-party script and flags changes in what the script does, not only changes in what it is, so supply-chain Magecart attacks are caught regardless of hash or origin status.
Script changes are detected in under 60 seconds on average across real user sessions (cside product data). The deobfuscated payload archival model records the readable version of any obfuscated script change alongside the per-session timestamp and network destinations, answering the forensic questions card schemes and regulators ask after a confirmed incident. In Q1 2025, cside detected more than 300,000 previously unseen client-side attack signals across customer deployments.
In the 2026 Globee® Cybersecurity Awards, independent judges named cside the Gold Globee® Award winner (Best of Category) for Client-Side Security; Jscrambler received Silver. See the head-to-head cside vs Jscrambler breakdown.
The PCI Shield dashboard covers both requirements 6.4.3 and 11.6.1 with evidence validated by VikingCloud QSA. Self-service onboarding and transparent pricing allow security teams to reach a working client-side security posture without a services engagement.
Source Defense
Best for: Merchants that want to limit the blast radius of a supply-chain Magecart compromise at a structural level, through sandboxing, rather than relying on detection after the fact.
Source Defense sandboxes third-party scripts in an isolated execution environment that restricts their access to payment-page DOM elements and form fields. A supply-chain-compromised vendor script running in the sandbox cannot read card data even if the compromise is not detected immediately, because the structural restrictions prevent the access path a skimmer requires.
For merchants where detection latency is a primary concern (a skimmer running for hours during a scan cycle is unacceptable), sandboxing as a primary control eliminates that window. Source Defense also satisfies PCI DSS 6.4.3 and 11.6.1 for script inventory and change monitoring requirements. Evaluate compatibility with payment processor JavaScript before deploying the sandboxing layer.
Reflectiz
Best for: Fintech and eCommerce platforms that carry PCI DSS risk alongside GDPR or HIPAA obligations, and that need script behaviour mapped to multiple compliance frameworks simultaneously.
Reflectiz monitors third-party script behaviour and maps it to regulatory obligations. The Policies feature, launched in April 2026, allows automated enforcement rules: scripts that violate defined behavioural profiles trigger automated responses, reducing manual review load in environments with high-velocity vendor update cadences.
For fintech organizations where a Magecart-style compromise of a third-party script creates both a PCI DSS evidence obligation and a GDPR notification requirement, unified framework coverage reduces the operational overhead of maintaining separate evidence packages. Reflectiz uses a remote browser monitoring approach; validate real-user session coverage against your evasion threat model before selecting it as the primary Magecart detection control.
Jscrambler
Best for: eCommerce development teams that own significant first-party JavaScript in the checkout flow and need third-party Magecart monitoring alongside first-party code protection.
Jscrambler's Webpage Integrity covers third-party script monitoring for PCI DSS 6.4.3 and 11.6.1 alongside obfuscation, self-defending code, and tampering detection for first-party JavaScript. For merchants with substantial proprietary code in the checkout path, the integrated model addresses both the internal code protection risk and the third-party compliance requirement.
The behavioural detection depth for supply-chain Magecart attacks should be validated directly against your specific threat model, particularly for attacks that use dynamic imports or behavioural evasion, before selecting Jscrambler as the primary runtime detection control.
HUMAN Security: Page Protect
Best for: Large eCommerce platforms that carry both Magecart risk and bot-driven payment fraud, and want unified browser-layer coverage under a single vendor contract.
HUMAN's Page Protect addresses client-side script risk as part of its broader bot management and fraud prevention platform. For eCommerce operations where credential stuffing, inventory abuse, and payment fraud coexist with skimmer risk, a single vendor covering both surfaces reduces the complexity of managing multiple specialist tools.
HUMAN is primarily a bot and fraud prevention platform; the client-side script monitoring capability is robust but may be less granular on PCI DSS evidence output and IR-grade payload archival than dedicated specialists. Security teams with a Magecart-specific threat model should validate Page Protect's behavioural detection capabilities against cside and Jscrambler before committing.
Comparison at a Glance
| Platform | Full purchase journey | Real-user sessions | Behavioural deviation | Deobfuscated archival | PCI 6.4.3 + 11.6.1 |
|---|---|---|---|---|---|
| cside | Yes | Yes (100%) | Yes | Yes | Yes (QSA-validated) |
| Source Defense | Yes | Yes | Via sandboxing | Partial | Yes |
| Reflectiz | Partial | Remote browser | Synthetic only | Partial | Yes |
| Jscrambler | Yes | Yes | Partial | Limited | Yes |
| HUMAN Page Protect | Yes | Yes | Partial | Limited | Partial |
How to Choose
Quick answer: If your primary risk is active Magecart skimming and you need IR-grade evidence to reconstruct a confirmed incident, prioritize platforms with 100% real-user session monitoring, behavioural deviation detection, and deobfuscated payload archival. If prevention rather than detection is the goal, a sandboxing approach structurally limits what a compromised script can reach before detection occurs.
If you need to detect active Magecart and produce forensic evidence: cside provides the most complete coverage, full purchase journey, 100% session monitoring, behavioural deviation detection, deobfuscated archival, and QSA-validated PCI DSS compliance evidence.
If structural prevention is the primary control: Source Defense's sandboxing approach limits the blast radius of a supply-chain compromise before detection occurs. Evaluate sandbox compatibility with your payment processor JavaScript before deployment.
If you carry multiple compliance frameworks alongside PCI DSS: Reflectiz maps script behaviour across PCI, GDPR, and HIPAA simultaneously. Validate remote browser coverage against your Magecart evasion threat model.
If first-party JavaScript protection is also in scope: Jscrambler covers third-party monitoring and first-party obfuscation in a single platform. Validate the third-party behavioural detection depth against the current Magecart attack patterns.
For a wider view of how these controls fit eCommerce and fintech stacks, see our guide to client-side security for eCommerce and fintech platforms and how to evaluate real-time browser attack visibility tools.
