OREM, Utah, March 4, 2025 /PRNewswire/ — SecurityMetrics, a leading innovator in compliance and cybersecurity, has shared new findings about attacks on ecommerce websites and their new product that defends organizations against them.
After conducting thousands of ecommerce client-side forensic investigations, SecurityMetrics discovered a surprising trend among merchant payment pages. The investigation not only focused on searching for malicious scripts on the client browser side, but also included a detailed analysis of all the scripts being loaded within the third-party payment pages (e.g., contents of the iframe source commonly hosted by a PCI DSS compliant service provider).
In 100% of the cases where card data eskimming occurred, the security failure was present on the merchants’ referring page and not because of a malicious script on the third-party hosted payment page.
This finding clearly indicates that the main eskimming risks are on the merchant webserver, not on the payment provider side.
Other data gathered from these investigations includes:
- Of the 2,000 ecommerce forensic investigations conducted:
- 40% used iframes for display of a third-party payment page
- 35% used direct post or traditional server-side processing
- 25% used button redirects to a third-party hosted payment page
- Out of the cases where malicious activity was detected (e.g., card skimming):
- 46% occurred on the merchant pages where the third-party iframe was integrated
- 44% occurred on the merchant pages using direct post or other methods
- 10% occurred on the merchant pages using button redirect to a fully-hosted payment page
Based on the results of real world investigations, merchants need to be aware of the scripts that they include (PCI DSS requirement 6.4.3) and check for the presence of malicious scripts and behaviors (PCI DSS requirement 11.6.1) on any payment or referring payment pages.
To address these growing attacks and need for PCI compliance on merchant websites, SecurityMetrics created a PCI-focused, eskimming solution called Shopping Cart Monitor. The first version of Shopping Cart Monitor was released in 2020, with a limited release of version 2.0 in September 2024. The full rollout of version 2.0 starts on March 25th for all acquirers and merchants, designed to fulfill specific PCI requirements. This product monitors ecommerce payment pages by thoroughly scanning them during the checkout process, immediately identifying any suspicious scripts, and reporting it back to the merchant.
Unlike most of the competition, Shopping Cart Monitor meets PCI requirements 6.4.3 and 11.6.1, without requiring an agent, software installation, development, compatibility testing, or website configuration. As the only fully-integrated PCI solution on the market, Shopping Cart Monitor was designed to save money and time. To learn more or sign up, visit SecurityMetrics’ website.
About SecurityMetrics
SecurityMetrics secures peace of mind for organizations that handle sensitive data. They have tested over 100 million systems for data security and compliance. Industry standards don’t keep up with the threat landscape, which is why SecurityMetrics hold their tools, training, and support to a higher, more thorough standard of performance and service. Never have a false sense of security.™
For press inquiries, email pr@securitymetrics.com
SOURCE SecurityMetrics, Inc.