Guidance for Ecommerce Skimming Threats

As ecommerce skimming attacks have grown more sophisticated, the PCI Security Standards Council introduced requirements 6.4.3 and 11.6.1 in PCI DSS v4.0 to address client-side risks on payment pages. This SecurityMetrics guidance document explains the background of browser-based skimming, including how attackers exploit the Document Object Model (DOM), third-party scripts, iframes, and single-page applications to capture card data without disrupting legitimate transactions. Drawing on more than 2,000 ecommerce forensic investigations, SecurityMetrics highlights that in all cases of observed card skimming, the failure occurred on the merchant’s referring page rather than on the third-party payment page. The paper details what 6.4.3 and 11.6.1 require such as script authorization, inventory, justification, and change/tamper detection on payment and referring pages, also discussing approaches such as CSP, SRI, and DOM monitoring. It also provides practical guidance on evidence collection and validation for SAQs and Reports on Compliance.