Skip to main content
Blog
Blog Attacks

What Is Online Card Skimming? How Attackers Steal Payment Card Data from Websites

Malicious JavaScript on checkout pages captures card numbers before encryption. How online card skimming works, real examples, and PCI DSS 4.0.1 requirements.

Jul 08, 2026 6 min read
What Is Online Card Skimming? How Attackers Steal Payment Card Data from Websites

TL;DR

  • Online card skimming is malicious JavaScript on a merchant's checkout page that copies payment card details as the customer types them.
  • Attackers place the script by compromising a third-party plugin, analytics library, or tag manager the site already loads.
  • The stolen data leaves the browser directly to an attacker-controlled server. Your backend, WAF, and payment processor never see it.
  • Visa's Spring 2025 Biannual Threats Report identifies digital skimming as "one of the most prolific and consistent threats" in the payments ecosystem.
  • PCI DSS 4.0.1 requirements 6.4.3 and 11.6.1, mandatory since March 31, 2025, exist specifically to counter this attack type.

What Is Online Card Skimming?

Online card skimming
Online card skimming is a cyberattack where malicious JavaScript runs in a shopper's browser on a merchant's checkout page. As the user types their card number, expiry date, CVV, and billing address into the payment form, the script copies that data and transmits it to a server the attacker controls, before the payment is submitted.

The term "card skimming" originates from physical fraud: a hardware device attached to an ATM or point-of-sale terminal that reads the card's magnetic stripe and records the PIN as a customer enters it. Online card skimming works on the same principle but needs no physical device. A few lines of JavaScript replace the hardware. The attack leaves no physical trace, can run undetected for months, and can be deployed across thousands of websites simultaneously through a single compromised third-party script.

Visa's Spring 2025 Biannual Threats Report identified digital skimming as one of "the most prolific and consistent threats" in the payments ecosystem, noting that the company's eCommerce Threat Disruption program actively scans merchant sites for skimmer signatures across North America and Europe.

For a complementary look at the browser-execution side of this attack, see our detailed e-skimming guide.

How Attackers Deploy Card Skimming Scripts

Attackers need code execution on the target checkout page. They get it through supply-chain entry points rather than attacking the merchant's server directly:

  • A compromised third-party plugin, CMS extension, or widget the merchant's site already loads
  • A malicious update pushed to a CDN-hosted analytics or tag manager library
  • A breach of the merchant's CMS admin panel or code repository

Once they control a JavaScript file that runs on the payment page, they add the skimming payload. The script hooks into payment form fields. As the customer types, the script copies each value, encodes the data, and sends it over HTTPS to an attacker-controlled domain, typically a typosquatted lookalike designed to blend into network traffic logs. The exfiltration request never passes through the merchant's server.

Three properties make this nearly invisible from outside the browser: the outbound request is encrypted; the destination domain mimics a legitimate vendor; and the payload is small enough to resemble routine analytics traffic.

Why Code-at-Rest Scanners Miss It

Most website security tools fetch a page, analyze the HTML and JavaScript source, and flag known malicious signatures. Online card skimming evades this approach for a structural reason: the skimmer executes in a real user's browser, where the attacker can apply conditional logic that a scanner never triggers.

A script can return clean code to headless crawlers and activate only when it detects human behavior, a real IP address, or a specific geographic region. The merchant's WAF, origin server, and payment processor never receive any evidence of the theft. Only a monitoring layer that runs inside real visitor sessions can observe the script as it actually behaves.

Named Online Card Skimming Attacks

British Airways (2018). Attackers planted 22 lines of JavaScript on ba.com that exfiltrated payment data to a lookalike domain, baways[.]com. The script ran undetected for approximately two months and affected around 500,000 customers and staff. The UK Information Commissioner's Office issued an initial fine of £183 million under GDPR, later settled at £20 million. The case was one of the first high-profile GDPR enforcement actions tied directly to a client-side payment security failure.

Magecart (ongoing). The name originated from attacks targeting Magento-based shopping carts, but it now covers dozens of distinct threat actor groups using online card skimming across many platforms. Magecart actors have compromised third-party script providers whose libraries run on thousands of merchant sites simultaneously, turning a single supply-chain breach into a mass card-theft event. See the biggest Magecart attacks on record.

PCI DSS 4.0.1 Requirements for Card Skimming Prevention

PCI DSS 4.0.1 introduced two requirements that directly address online card skimming. Both became mandatory on March 31, 2025:

Requirement 6.4.3 mandates that every script loaded on a payment page be documented in an inventory, authorized with a business justification, and have its integrity protected. The intent is to prevent unauthorized scripts from running where card data is entered.

Requirement 11.6.1 mandates a tamper-detection mechanism that alerts on unauthorized changes to payment-page scripts and security-affecting HTTP headers, evaluated at least weekly or on a risk-analyzed schedule.

Manual script audits and point-in-time scans cannot satisfy these requirements at the volume and frequency they specify. Automated, continuous monitoring of what scripts actually do in real browsers is the baseline both requirements are written to enforce.

RequirementWhat it mandatesMandatory since
6.4.3Script inventory, authorization, and integrity on payment pagesMarch 31, 2025
11.6.1Tamper-detection with alerting for payment-page changesMarch 31, 2025

How to Detect Online Card Skimming

Detection requires visibility into what scripts do inside real visitor browsers, not just what their source code looks like at scan time. cside deploys a single first-party JavaScript snippet (no proxy, no DNS changes) that monitors browser-level script behavior on every real page load.

The signals cside surfaces for online card skimming detection:

  • New or modified scripts appearing on payment pages without authorization
  • Unexpected listeners on input fields handling card data
  • Outbound requests to domains outside an authorized allowlist
  • Script behavior that differs between automated sessions and real-user sessions

This produces the continuous, real-time record PCI DSS 4.0.1 requires: an authorized script inventory for 6.4.3 and tamper-detection evidence for 11.6.1.

Related reading:

Simon Wijckmans
Founder & CEO

Founder and CEO of cside. Previously a product manager on Cloudflare Page Shield (now Cloudflare Client-Side Security). Co-chair of the W3C Anti-Fraud Community Group and a Forbes 30 Under 30 honoree. Building accessible security against client-side attacks — web security is not an enterprise-only problem.

FAQ

Frequently Asked Questions

Online card skimming is a cyberattack where malicious JavaScript runs on a merchant's checkout page and copies payment card details as the customer types them. The stolen data, including the card number, expiry date, CVV, and billing address, is transmitted in real time to a server the attacker controls. The theft happens before the payment is submitted and before any server-side encryption applies. Unlike physical card skimming, online card skimming requires no hardware, leaves no physical trace, and can run on thousands of websites simultaneously through a single compromised third-party script.

Physical card skimming uses a hardware device attached to an ATM or point-of-sale terminal. The device reads the magnetic stripe and a hidden camera or keypad overlay captures the PIN. Online card skimming is entirely software-based: malicious JavaScript in the browser captures card data typed into a payment form. Physical skimming targets one terminal at a time. Online card skimming can be deployed via a single compromised third-party script and run simultaneously across thousands of websites with no additional attacker effort.

Attackers commonly compromise a third-party plugin, CMS extension, or tag manager library that the merchant's site already loads. They can also breach the merchant's CMS admin panel or code repository directly. Once they control a JavaScript file that executes on the checkout page, they modify it to include the skimming payload. Because the compromised script often belongs to an analytics or marketing vendor, the merchant's own code goes untouched and server-side logs show nothing unusual.

Any website that loads third-party JavaScript on pages where customers enter payment details is at risk. This includes e-commerce stores built on Magento, WooCommerce, Shopify custom checkouts, and proprietary platforms, as well as subscription services and travel-booking sites. The attack surface is the browser, not the server, so the merchant's hosting infrastructure, WAF configuration, and payment processor do not determine risk. A single compromised script from a shared vendor can affect every merchant that uses it.

Typically weeks to months. Card skimming scripts are designed to be silent: they exfiltrate data to lookalike domains that resemble legitimate analytics vendors, send small encrypted payloads, and often activate only under real-user conditions (such as detecting mouse movement or a non-datacenter IP) to avoid scanner detection. Merchants usually learn of a breach from customer fraud complaints or card-network alerts, which can surface 30 to 90 days after the initial compromise.

Yes. Requirements 6.4.3 and 11.6.1, both mandatory since March 31, 2025, were written specifically to address online card skimming and Magecart-style supply chain attacks. Requirement 6.4.3 mandates a documented inventory of every script on payment pages, with authorization and integrity protection for each. Requirement 11.6.1 mandates a tamper-detection mechanism that alerts on unauthorized changes to scripts and security-affecting HTTP headers on payment pages. Together they require continuous, automated monitoring rather than periodic point-in-time audits.

Card skimming scripts typically capture everything a customer types into a payment form: the full card number (PAN), expiry date, CVV/CVC, cardholder name, billing address, and sometimes email address and phone number. Some variants also intercept session tokens or login credentials on account pages near checkout flows. The stolen data is used directly for card-not-present fraud or sold on dark-web markets, often within hours of collection.

Monitor and Secure Your Third-Party Scripts

Gain full visibility and control over every script delivered to your users to enhance site security and performance.

Start free, or try Business with a 14-day trial.

cside dashboard interface showing script monitoring and security analytics
Related Articles
Book a demo