Eskimming is a browser-layer attack where malicious JavaScript steals payment data from checkout or payment forms as users type.

Why do WAFs miss eskimming?

A WAF sees traffic to your servers, but eskimming often sends data directly from the customer's browser to an attacker-controlled server.

How does cside stop payment skimmers?

cside monitors real user sessions, inspects script payloads, and blocks malicious browser behavior before card data leaves the browser.

Use case

ESkimming protection for checkout pages and payment forms

Malicious JavaScript steals card data directly from the browser, before your server processes the transaction. cside monitors every script on every real user session and blocks skimmers before they fire.

Book a demo

Start for free

Payment page monitor

Real browser session coverage

Protected

Script behavior Monitored

Payment fields Guarded

Suspicious exfiltration Blocked

What is eskimming?

Eskimming is a cyberattack where malicious JavaScript is injected into a website's checkout or payment page to steal card data as users type. The script runs inside the customer's browser. It copies credit card numbers, expiration dates, CVV codes, and billing details in real time, then sends them silently to an attacker-controlled server.

The transaction completes normally. The customer gets their order confirmation. The merchant sees a clean payment. No server-side alarm fires. By the time stolen cards appear on the dark web, the attack may have been running for weeks.

Eskimming is also called web skimming, digital skimming, formjacking, or a Magecart attack. The names describe the same browser-layer threat.

23M+ online transactions were compromised by active Magecart hacks in 2025, according to Mastercard. Source 416,582 U.S. identity theft cases in 2023 were facilitated by skimmed credit card data, according to Mastercard. Source 72,000+ websites were compromised by client-side attacks in Q2 2025, according to cside research. Source

How an eskimming attack reaches your checkout page

Attackers do not always need access to your own codebase. The most reliable route is through the third-party scripts your site already trusts.

Supply chain attacks

A trusted analytics pixel, A/B testing library, tag manager, or CDN script is compromised at the vendor level. The script comes from an approved domain, passes CSP checks, and behaves normally until the browser reaches a payment form. The Polyfill.io attack showed how quickly a trusted JavaScript dependency can become a broad delivery path.

Direct injection

Attackers exploit a CMS vulnerability, an unpatched plugin, or phished admin credentials to write malicious code directly into page templates or tag manager configurations. No third-party vendor is involved. The skimmer is served first-party.

Fourth-party exposure

Your third-party scripts load their own dependencies. The Web Almanac 2025 found the median third-party inclusion chain depth is 3, meaning each dependency can introduce another script you may never have reviewed.

The blind spot most security stacks share

Eskimming lives entirely in the browser, on the client side, during a live user session. That is exactly where most enterprise security tools stop looking.

WAFs and server-side monitoring

A WAF monitors traffic flowing to your servers. Eskimming exfiltration flows from the customer's browser directly to an attacker's collection server. Your WAF never observes that connection. ISACA describes why provider-side tools have limited visibility into web client runtime risk.

Content Security Policy

CSP is valuable, but it approves domains, not what those domains serve. A compromised script from an approved domain clears CSP with no warning, and dynamic or inline script behavior can still create gaps.

Periodic external scanners

Scanners run from known cloud infrastructure on a schedule. Sophisticated attackers fingerprint the request origin and serve clean code to scanners while targeting real visitors between scan windows.

How cside helps

Browser-layer defense on real user sessions

cside combines behavioral monitoring inside live user sessions with deep script inspection on cside infrastructure.

Behavioral monitoring on every real session

A lightweight cside script observes how every script behaves in the browser: which DOM elements it accesses, which form fields it reads, and which external domains it contacts.

Deep script inspection

cside fetches script contents on its own infrastructure for AI-powered analysis and compares payloads against threat intelligence gathered across monitored websites.

Blocking before impact

When malicious behavior is detected, cside blocks the script from completing its action. The checkout continues normally while the skimmer is stopped before card data leaves the browser.

Inventory and change detection

cside continuously inventories scripts, tracks payload changes, and alerts when unauthorized scripts, domains, or HTTP security header changes appear.

Eskimming prevention and PCI DSS 6.4.3 / 11.6.1

PCI DSS 4.0.1 requirements 6.4.3 and 11.6.1 formalize what a sound eskimming prevention program should already do. PCI SSC confirms the future-dated requirements became effective on 31 March 2025. cside's PCI Shield handles the workflow from script inventory to automated weekly reports.