The Top 3 Things a Forensic Analyst Wants You to Know About Protecting Your Merchant Portfolio
9-11-2025

by Aaron Willis, VP Forensic Investigations, SecurityMetrics
There are blind spots in the industry about eskimming, PCI requirements, and AI. Half the battle of securing your merchant portfolio is knowing where to start.
Here are the three main insights I would give, to help your merchants in their compliance journey:
1. The Eskimming Epidemic: Merchant Vulnerability
Over time, ecommerce has evolved to make online transactions easier on customers and merchants. Third Party Service Providers (TPSPs) ease the burden of ecommerce, shifting the responsibility of collecting card data away from merchants, and therefore, reducing the scope of their compliance.
However, since 2020, threats to card data have also evolved to keep up. Forensic analysts have seen payment card data being skimmed from seemingly ‘secure’ iframes, and have identified that client-side risks are far more common. In fact, forensic analysts at SecurityMetrics have performed nearly 3,000 investigations and identified that 100% of malicious script injections happened on the merchants side, not their TPSP.
Merchants often have a false sense of security, believing that their TPSP is solely responsible for security. They don’t realize that the trend of attacks focuses on their hosting page, button redirects, and code. Being ignorant of their vulnerability has sadly put many merchants out of business.
This is why tools like SecurityMetrics Shopping Cart Monitor are crucial for the detection of eskimming attacks. Not only does Shopping Cart Monitor help with PCI requirements 6.4.3 and 11.6.1, but it also doesn’t require code to get it up and running.
2. The PCI Pitfall: What Merchants and Acquirers Get Wrong About 6.4.3 and 11.6.1
While many merchants see PCI as a box they need to check, it’s actually designed to protect their business and their clientele. Cutting corners might save them time at first, but it can–and often does–cost them their business in the long run. Breaches are far more expensive than compliance, but many merchants don’t realize it until it’s too late to mitigate the risks.
From a forensics standpoint, there’s a misconception about PCI 4.0.1 that is deeply concerning. Many SAQ A’s are operating under the notion that eskimming isn’t their problem, and that they don’t need to worry about requirements 6.4.3 and 11.6.1. These requirements weren’t removed from SAQ A’s, they were simply reworded. They’ve been given two conditions on how to approach it, specifically that they need to prove that they are compliant or that they’ve outsourced the responsibility to their TPSP.
3. AI’s Impact on Cybersecurity
Let’s demystify the impact of AI on the industry. It’s here and it’s not going away anytime soon. Everyone is using it, from attackers to merchants and even forensic analysts. Your biggest concern should be how it’s being used.
On the forensic side, we are using AI to detect threats faster. It takes a lot of the busy work out of going through gigabytes of data searching for threats, allowing us to identify problems and resolve them quicker. That being said, AI isn’t foolproof. We have trained analysts checking everything we find, and it’s something your merchants should be aware of too. They can ask, “how do I have confidence that your findings are real and validated?” Merchants should feel comfortable that any issues with their security are real, not just a false positive from an AI tool.
Some merchants are using AI to code their websites, even relying on AI to code their shopping carts at times. It’s not necessarily a bad thing to use AI, but it’s dangerous to trust the code it provides for payments. Merchants should still ensure that the code it produces for them is secure, because they are the ones held accountable when there are holes in their security.
Unsurprisingly, AI is also a tool that attackers are using to collect card data–and they’re good at it. Attackers are adapting faster than ever before, finding ways to customize their attack to specific websites. In our forensic investigations, we’ve seen polymorphic skimmers which change their signatures constantly. These new threats are stealthier than ever and often evade detection.
The best way to stay ahead is to have multiple layers of security. Even if merchants are outsourcing their payment gateway, they have to secure their own websites. Their website is a door to the card data, and where there’s access to card data, there’s always going to be attacks.
Closing Thoughts
Unfortunately, there’s no easy way out of compliance. It’s an inherent part of transactions and ignoring it only leaves merchants vulnerable. You can proactively help your merchants and secure your portfolio by helping them understand modern threats, their specific responsibilities, and the tools at their disposal.
Acquirers and merchants that treat PCI compliance as an ally, not a checkbox, are the ones that survive--and thrive--in today's rapidly evolving threat landscape.
Aaron Willis is the VP of Forensic Investigations at SecurityMetrics. He has almost 30 years of diverse experience in all aspects of IT security, digital forensics, risk assessment, business intelligence, data mining, SaaS consulting, and programming. In addition to being the VP of Technology at ScrapeGoat, Inc, Willis teaches Digital Forensics as an adjunct instructor at Utah Valley University. Willis holds a Bachelor’s in IT from the same school and a Master's in Digital Forensics from American Military University.
About ETA
The Electronic Transactions Association (ETA) is the global trade association representing more than 500 payments and technology companies. ETA members make commerce possible by processing more than $6 trillion in purchases in the US and deploying payments innovations to merchants and consumers. Learn more: www.electran.org.