Have Your Merchants Do These 3 Things Right Now to Secure Their Checkout Page
10-1-2025
By Aaron Willis
Merchants often don’t know where to start when it comes to protecting their ecommerce website checkout pages.
Here are three of the easiest and most effective steps your merchants can take right now, that will immediately improve their defenses against eskimming attacks.
1. Implement a Third-Party Hosted iframe Payment Solution
A hosted iframe (such as those provided by reputable TPSPs) ensures that card data is collected in an isolated, PCI-validated environment. Even if the merchant’s own site is compromised, attackers have to contend with several more security layers to access sensitive payment fields.
This can reduce PCI scope and limit the merchant’s liability, while also protecting the customer’s card data at the point of entry.
Why it works:
Attackers rely on injecting scripts into merchant-controlled fields and files. By pushing payment collection into a secure, third-party frame, you create a wall between your environment and the payment process.
Additionally, in the event of a data breach, it also focuses the scope of a forensic investigation to the checkout page itself.
With an iframe, if a threat actor is going to capture credit card data, they must do so at precisely the moment the customer is typing it in. After the card is submitted, the opportunity for theft is gone.
2. Implement File Integrity Monitoring (FIM) on the Web Server
FIM detects unexpected changes to critical web and configuration files–the exact kind of changes attackers make when they inject skimmers, redirect code, or backdoors.
With FIM in place, merchants can be alerted immediately when something changes, instead of discovering it weeks later through a forensic investigation.
Why it works:
Eskimming code often requires modifying legitimate files on the merchant’s web server.
Catching that change in real time means merchants can respond before attackers harvest large amounts of data, or even before they can get their attack off the ground.
3. Use a Checkout Monitoring Service
Monitoring your checkout process provides ongoing, client-side scanning of the checkout page, alerting merchants if malicious scripts are present or if malicious redirects or overlays bypass secure payment flows.
Unlike traditional vulnerability scans, these tools see the checkout page the way a customer does.
Why it works:
Even when merchants outsource their gateway, their own website is still the front door attackers attempt to exploit.
Detecting changes to the checkout page using tools like SecurityMetrics’ Shopping Cart Monitor helps ensure sensitive transactions are transmitted securely to your authorized payment gateway every time and not hijacked off to a thief’s website.
Protect Your Merchants the Right Way
Every good camper knows to never leave food in their tent. The wild critters can’t resist it, and will chew or rip holes through weak tent walls to access the goods.
Your merchant’s websites are no different. Credit cards are hacker bait. Even if they’ve outsourced card data collection, their website is still the tent wall these obnoxious critters will gnaw through to get a customer’s 16 irresistible, magic digits.
No single security control is perfect, and there are many others that need to be in place.
However, these three measures, working in combination, dramatically reduce the risk of malicious script attacks. A hosted iframe limits the exposure of card data, file integrity monitoring detects server side tampering, and Shopping Cart Monitor puts eyes on the browser checkout process where FIM cannot help.
When configured and monitored properly, these tools give merchants a layered, solid defense that is highly effective at both attack prevention and loss mitigation, should an attack occur.
About the Author
Aaron Willis is the VP of Forensic Investigations at SecurityMetrics. He has almost 30 years of diverse experience in all aspects of IT security, digital forensics, risk assessment, business intelligence, data mining, SaaS consulting, and programming. Willis has taught Programming, Databases and Digital Forensics as an adjunct instructor at Utah Valley University. Willis holds a Bachelor’s in IT from the same school and a Master’s in Digital Forensics from American Military University.
About ETA
The Electronic Transactions Association (ETA) is the global trade association representing more than 500 payments and technology companies. ETA members make commerce possible by processing more than $6 trillion in purchases in the US and deploying payments innovations to merchants and consumers. Learn more: www.electran.org.