Compliance Does Not Equal Security 

June 25th at 2:00PM

Many organizations have implemented script inventories, integrity checks, and monitoring to meet PCI requirements. At the same time, eSkimming attacks continue to target the browser, where payment data and PII are entered.

The gap is straightforward. PCI DSS defines required controls. It does not ensure those controls are effective against how modern attacks actually work.

This session looks at that gap in practical terms. We will walk through how eSkimming attacks operate at the client side, where traditional approaches fall short, and what it takes to reduce exposure in environments that rely on third- and fourth-party JavaScript. 

You will also see why controls such as CSP and SRI often create operational overhead without addressing the underlying risk in dynamic applications, and how behavior-based approaches change how scripts are monitored and controlled in real time. 

Key Takeaways:

• Where PCI DSS 4.0.1 aligns with real risk, and where it does not
• How eSkimming attacks access payment data and PII in the browser
• Why third- and fourth-party scripts expand the attack surface
• The limits of CSP and SRI in environments that change frequently
• What a practical approach looks like for monitoring and controlling script behavior

 If your current plan is focused on passing the audit, this session will help you understand what still needs attention.