2025 eSkimming Landscape Report

January 14th at 2:00 PM EST

A threat briefing based on the 2025 Source Defense Threat Landscape Report for merchants, risk and compliance, and security teams who need controls that hold up in defense and in the audit.

Many organizations believe they have improved their eSkimming security posture. CSP is tighter. Script inventories are cleaner. Some teams use SRI. Many monitor the payment page.

The catch: attackers have long used techniques to bypass these approaches and have adapted to bypass PCI DSS 4.0.1 requirements. 

We will break down what Source Defense saw in the 2025 threat landscape and how modern eSkimming campaigns bypass common defenses like CSP/SRI, payment-page-only focus, iFrame hardening, and even “we outsourced payments.”

You will leave with a clearer way to pressure-test your current approach, identify blind spots across the full customer journey, and strengthen the evidence behind your PCI story.

What you will learn:

• How today’s eSkimming campaigns bypass CSP and SRI and why “allowlisted” does not always mean “safe”
• Specific details of our research including a late 2025 coordinated campaign, attacks impacting tens of thousands of sites around the globe, and major innovations in adversarial tradecraft
• Why payment-page-only monitoring misses real risk across the upstream path to checkout
• The limits of iFrame hardening, new techniques to bypass and what still matters in the parent page context
• What payment outsourcing reduces, and what risk and responsibility still remain
• Practical ways to validate that your controls prevent exfiltration, not just detect changes after the fact

Who should attend

• Merchants and eCommerce leaders responsible for customer trust and revenue
• CISOs and GRC leaders translating eSkimming risk into defensible governance
• SOC teams handling detection, triage, and incident response
• Web security and application engineers implementing controls without breaking the site