Webinar Description
Key Takeaways
- Examination of digital skimming campaigns exploiting trusted cloud services including Google Tag Manager, Google Analytics 4, Firebase and Braintree
- Technical analysis of Content Security Policy bypass methods and adaptive fake checkout overlays
- PCI DSS 4.0.1 compliance guidance focusing on requirements 6.4.3 and 11.6.1
- Designed for e-commerce security teams, application security professionals, CISOs and compliance officers
- Focus on behaviour-based script monitoring as a defence against browser-based payment data theft
Introduction
Digital Skimming 2026 Q2 In Review is a virtual event examining the latest attack techniques, evasion methods and defensive strategies in the ongoing battle against browser-based payment data theft. Hosted by Source Defense, the webinar targets e-commerce security teams and application security professionals grappling with increasingly sophisticated skimming campaigns that exploit legitimate cloud infrastructure to bypass traditional security controls.
The timing reflects a critical inflection point for online retailers. With PCI DSS 4.0.1 now in effect and its stricter requirements for client-side script management, organisations face mounting pressure to demonstrate effective controls over the JavaScript executing in their customers’ browsers. Meanwhile, attackers have refined their techniques to weaponise the very services that businesses depend upon for analytics, tag management and payment processing.
About This Event
This webinar provides a quarterly review of digital skimming activity observed during the second quarter of 2026. The session examines real-world attack campaigns, dissects the technical methods employed by threat actors, and offers practical guidance for security teams responsible for protecting online payment flows.
The format is designed to deliver actionable intelligence rather than theoretical discussion. Security practitioners can expect detailed analysis of how specific attacks unfolded, which defensive gaps were exploited, and what countermeasures proved effective. The virtual delivery makes the content accessible to distributed security teams regardless of location.
How Attackers Exploit Trusted Cloud Services
A central theme of the event is the abuse of trusted third-party services as attack vectors. Digital skimming has evolved considerably from its origins in straightforward malicious script injection. Modern campaigns increasingly leverage platforms that organisations already trust and whitelist, including Google Tag Manager, Google Analytics 4, Firebase and Braintree.
This approach presents a fundamental challenge for security teams. Content Security Policies, long considered a cornerstone of client-side protection, typically permit requests to these legitimate services. When attackers inject skimming code through a compromised tag manager configuration or disguise data exfiltration as analytics traffic, traditional allowlist-based controls fail to detect the malicious activity.
The webinar explores specific techniques observed in recent campaigns, including the use of hidden SVG elements to conceal malicious payloads and adaptive fake checkout overlays that dynamically mimic legitimate payment forms. These overlays capture card details before the genuine payment processor ever receives the transaction, making detection particularly difficult from the server side.
The Limitations of Static Security Controls
Traditional web application security architectures were designed primarily to protect server-side infrastructure. Web application firewalls inspect incoming requests, intrusion detection systems monitor network traffic, and vulnerability scanners assess application code. These controls remain essential but share a common blind spot: they have limited visibility into what happens after a page loads in the customer’s browser.
Digital skimming exploits this gap directly. The malicious code executes entirely within the browser environment, often loading dynamically after the initial page render. Data exfiltration can occur through seemingly innocuous channels, encoded within image requests or disguised as legitimate analytics payloads. By the time any server-side system might detect anomalous behaviour, the payment data has already been captured and transmitted to attacker-controlled infrastructure.
Content Security Policies offer some protection but prove insufficient against sophisticated campaigns. Attackers have developed numerous bypass techniques, and the inherent need to permit legitimate third-party services creates exploitable gaps. The event examines specific CSP bypass methods and explains why static policy definitions struggle to address dynamic, behaviour-based threats.
PCI DSS 4.0.1 Compliance Requirements
The regulatory landscape has shifted to address browser-based threats more directly. PCI DSS 4.0.1 introduced requirements specifically targeting client-side security, with requirements 6.4.3 and 11.6.1 receiving particular attention in this webinar.
Requirement 6.4.3 mandates that organisations maintain an inventory of all scripts executing on payment pages, justify the business need for each script, and implement controls to ensure script integrity. Requirement 11.6.1 extends this by requiring mechanisms to detect unauthorised changes to payment page content, including the HTTP headers and scripts that could indicate a skimming attack in progress.
For many organisations, meeting these requirements necessitates capabilities beyond their existing security tooling. The webinar addresses how behaviour-based script monitoring can satisfy these compliance obligations while simultaneously improving actual security posture. This represents a shift from checkbox compliance toward controls that provide genuine protection against the threats the requirements were designed to address.
Behaviour-Based Script Monitoring
The defensive approach emphasised throughout the event centres on behaviour-based monitoring rather than static allowlists or signature-based detection. This methodology analyses what scripts actually do at runtime rather than simply verifying their source or comparing them against known malicious patterns.
Behaviour-based monitoring can detect when a previously benign script begins accessing payment form fields, when data is being prepared for transmission to unexpected destinations, or when DOM manipulation suggests the presence of an overlay attack. These indicators remain effective even when the malicious code originates from a trusted source or employs novel obfuscation techniques.
The approach also addresses the operational reality that modern e-commerce sites depend on numerous third-party scripts for essential functionality. Marketing tags, analytics platforms, customer service widgets and payment processors all require JavaScript execution. Behaviour-based monitoring allows these legitimate services to function while identifying and blocking anomalous activity that indicates compromise.
Who Should Attend
The webinar is designed for practitioners with direct responsibility for e-commerce security and payment data protection. E-commerce security teams will gain insight into current attack techniques and practical defensive measures. Application security professionals can deepen their understanding of browser-based threats that fall outside traditional application security testing.
CISOs and security architects will find value in the strategic discussion of how digital skimming fits within the broader threat landscape and how defensive architectures must evolve to address client-side risks. IT managers responsible for online storefronts can better understand the technical requirements for protecting their platforms.
Compliance officers working toward or maintaining PCI DSS 4.0.1 certification will benefit from the detailed examination of requirements 6.4.3 and 11.6.1, including practical guidance on implementing controls that satisfy auditor expectations while providing meaningful security improvements.
The Evolving Digital Skimming Threat
Digital skimming continues to evolve in response to defensive improvements. The quarterly review format of this event reflects the rapid pace of change in attack techniques. Campaigns that proved effective three months ago may have been largely mitigated, while new methods emerge to exploit different gaps in defensive coverage.
The sophistication of modern skimming operations reflects their profitability. Payment card data commands consistent value in criminal marketplaces, and the browser-based attack surface offers advantages that server-side compromises cannot match. A single successful skimming campaign can harvest thousands of payment cards before detection, with the merchant bearing both the financial liability and reputational damage.
For organisations operating online storefronts, understanding current attack techniques is no longer optional. The combination of regulatory requirements, financial exposure and customer trust obligations makes browser-based security an essential component of any comprehensive e-commerce security programme.

