Summary
E-skimming is a cyberattack that injects malicious code into eCommerce websites to steal customers’ payment card data during checkout.
This tactic is especially dangerous for businesses subject to PCI DSS compliance, as it targets client-side scripts and third-party services—areas often invisible to traditional security tools. Knowing how e-skimming works helps CISOs, compliance officers, and dev teams proactively defend against costly data breaches, regulatory penalties, and reputational damage.
What is E-skimming?
E-skimming, also known as web skimming or client-side payment skimming, is a cyberattack where malicious code is injected into eCommerce websites to steal sensitive customer data like credit card numbers, names, and addresses during online transactions. This form of attack is a broader category that includes payment skimming, a targeted subset focused exclusively on stealing payment information at checkout.
The type of information stolen in e-skimming attacks includes credit card data, social security numbers, bank account data, and other personally identifiable information (PII). The victims have no way of knowing that their information is being stolen, until that information is used by the hacker, for example, in an unauthorized online purchase.
E-skimming is also sometimes referred to digital skimming, data skimming or a Magecart attack.
What is Payment Skimming?
Payment skimming refers to malicious code that specifically targets payment fields at checkout — such as credit card number, expiration date, CVV, and billing address. These skimmers operate client-side, executing in the user’s browser and bypassing traditional server-side security controls.
Many attackers implement JavaScript-based skimmers that run silently in the background. The stolen data is then exfiltrated to an attacker-controlled domain in real time, before the user even completes the purchase.
Common techniques include:
- Injecting code into payment forms
- Intercepting
input
field values - Spoofing legitimate third-party payment tools (e.g., fake Stripe modals)
Because payment skimming is a highly lucrative and stealthy tactic, it is one of the most dangerous forms of e-skimming today.
Example:
- What happened: Magecart attackers injected malicious JavaScript into the British Airways website and mobile app to skim payment card details during checkout.
- Impact: 380,000+ customer payment records were stolen.
- Consequences: The UK’s ICO fined British Airways £20 million for GDPR violations—reduced from an original £183 million.
E-skimming vs Payment Skimming
Feature | E-skimming | Payment Skimming |
Scope | Broad – any data entered on site (login, search, checkout) | Narrow – targets only payment info |
Target | Full site, multiple forms | Payment forms at checkout |
Payload | Often includes credential and PII skimmers | Focused on credit card and billing fields |
End goal | Credential theft, financial fraud, surveillance | Direct credit card fraud or resale |
How does e-skimming work?
Criminals introduce e-skimming code onto webpages by:
- Exploiting a known vulnerability on the website’s e-commerce platform.
- Exploiting a flaw present on a company’s payment card processing page.
- Adding malicious code to existing third- or fourth-party code (often JavaScript) that is used by the target website.
The skimming function is executed by the user’s browser, allowing it to steal sensitive information by recording the keystrokes the user types into the form fields. The stolen sensitive information is collected by the criminal and then sold on the dark web or used by the criminal to make fraudulent purchases.
Because e-commerce websites are made up of hundreds of thousands and sometimes millions of lines of code, it is fairly easy for criminals to hide malicious scripts. Many e-commerce sites also employ plug-ins, extensions, widgets, and other pieces of software to enhance the user experience. This software is often written in JavaScript, which is not designed with security in mind, making it easy to infiltrate the plug-in, extension, or widget and inject malicious skimming code.
Who is the target of e-skimming?
Businesses: Any organization that maintains a website that collects payment information and other types of sensitive user data is at risk of an e-skimming attack. Industries targeted include retail, entertainment, travel, utility companies, and third-party vendors (such as those working in online advertising or web analytics). The cyber criminals may also target user and administrative credentials in addition to financial or credit card information.
Consumers: Consumer PII, credit card, and financial data is the primary target of e-skimming. Every year millions of individuals become victims of e-skimming attacks.

What is the impact of an e-skimming attack?
Loss of Sensitive Customer Information—E-skimming attacks can involve the theft of multiple types of customer information, including credit card data and PII.
Profit loss—Previous e-skimming attacks have demonstrated that business profits will be impacted negatively due to reputation damage and loss of customer trust.
Regulatory and Compliance Issues—Government and industry regulations, such as the Payment Card Industry Data Security Standards (PCI DSS) and the General Data Protection Regulations (GDPR) can subject businesses to lawsuits and fines should business customers be affected by an e-skimming attack.
What can businesses do to protect against e-skimming?
Businesses can reduce the number and impact of e-skimming attacks by following these best practices:
- Audit web assets: Inventory your web assets and know the type of data they hold.
- Regularly scan the client side: Regularly conduct deep-dive scans into client-side applications and software to reveal intrusions, behavioral anomalies, and unknown threats.
- Use automated monitoring and inspection: Monitoring and inspection activities are critical, but also time consuming if you don’t have an automated solution to regularly review client-side JavaScript code. A purpose-built solution that automates the process can be a fast and easy way to identify unauthorized script activity.
- Maintain safe JavaScript libraries: Confirm the security of any external libraries by making sure they’re not on any blacklists. Regularly patch and update your libraries and avoid any dependence on third-party library sources. Businesses might also wish to consider acquiring technologies that deploy security permissions on JavaScript web applications to closely control the data that third- and fourth-party scripts can access and disseminate.
- Deploy and maintain Content Security Policies: Generate tailored Content Security Policies and deploy them on your web applications. Then utilize purpose built technologies to easily monitor, manage, control versions, and continuously enhance your policies.
- Be selective with plug-ins, widgets, extensions, and third-party scripts: These website enhancement tools and other third-party scripts can contain vulnerabilities or intentional malicious content. Be sure to only use tools third-party JavaScript from known and reputable sources.
- Use secure software development practices: Apply software development best practices that aid in the detection and elimination of errors early in the application development process.
- Move security to the left: Ensure security is part of the entire software development process—from beginning to end—and just doesn’t happen after a web application is built or installed on a system.
Would you like to see how you can detect and mitigate e-skimming attacks in 5 minutes or less?
Schedule your personalized demo today here.
FAQ
What is the difference between e-skimming and Magecart attacks?
Magecart is a type of e-skimming attack carried out by a group of threat actors known for compromising third-party scripts. While all Magecart attacks are e-skimming, not all e-skimming incidents involve Magecart actors.
Can firewalls or WAFs stop e-skimming?
Not effectively. Traditional network defenses like WAFs can’t see what’s happening in a user’s browser. E-skimming exploits this blind spot, injecting malicious scripts into the client side. You need client-side security to detect and block these threats in real time.
What are the compliance risks of an e-skimming attack?
E-skimming breaches can trigger non-compliance with PCI DSS, HIPAA, and GDPR—especially when sensitive payment or health data is exposed. For PCI DSS 4.0, Requirements 6.4.3 and 11.6.1 directly address the need to monitor client-side scripts.
How can I protect my site?
Use a client-side security platform that monitors, analyzes, and controls JavaScript execution on payment and checkout pages. Feroot’s PaymentGuard AI is purpose-built to detect unauthorized scripts and help businesses meet PCI DSS 4.0 compliance.