Formjacking protection has quietly become one of the most overlooked gaps for any small business that takes card payments online. The attack — also called web skimming, e-skimming, or Magecart — plants a few lines of malicious JavaScript on your checkout or form page. As a customer types their card number, name, and address, a hidden copy is sent to the attacker. The page still works. The order still goes through. Nobody notices — sometimes for months.
How formjacking actually works
Think of it as a skimmer on a gas pump, but for your website. The attacker doesn't need to break your payment processor — they just need to change what runs in the customer's browser on the page where the card details are entered. There are two common routes in:
- Direct compromise.Attackers exploit an unpatched e-commerce platform, a vulnerable plugin, or a weak admin login, then edit your site's code to add the skimmer.
- Third-party (supply-chain) compromise.They compromise a script your site already loads — analytics, live chat, ads, a tag manager, or a payment widget — so the malicious code arrives from a vendor you trust. Your own site was never “hacked,” yet your checkout is skimming cards.
That second route is why formjacking is so persistent for SMBs: a typical checkout loads a dozen or more third-party scripts, and any one of them is a potential doorway. You can patch your own platform perfectly and still be skimmed through someone else's code.
Why small businesses are prime targets
It's a myth that skimmers only chase big retailers. Attackers run automated scans across the internet for known-vulnerable platforms and plugins, then drop a skimmer on whatever checkout answers. A small store on an out-of-date version of its e-commerce platform is an easy, unattended target — and because the skimmer is silent, it can harvest cards for months before a bank's fraud team traces the pattern back to your site. You don't have to be large to be worth skimming; you just need an online checkout and a gap.
PCI DSS 4.0 now requires this
Two payment-page requirements became mandatory on 31 March 2025. Requirement 6.4.3 — inventory and authorise every script that loads on the payment page, and confirm its integrity. Requirement 11.6.1— deploy a change- and tamper-detection mechanism that alerts on unauthorised changes to the payment page and its HTTP headers as received in the customer's browser. If you take card payments through a web page, you're in scope.
How to stop formjacking — the controls that matter
Formjacking protection isn't one product; it's a short stack of controls, most of which also satisfy the new PCI requirements. In rough priority order:
- Inventory and manage your payment-page scripts. List every script that loads on the checkout, confirm you actually need each one, and remove the rest. Fewer third-party scripts means fewer doorways. This is PCI 6.4.3 in practice.
- Add a Content-Security-Policy (CSP). A CSP tells the browser exactly which sources are allowed to run scripts and where data may be sent, so an injected skimmer that tries to exfiltrate to an unknown domain is blocked.
- Use Subresource Integrity (SRI). SRI pins a cryptographic hash to a third-party script so the browser refuses to run it if the file has been altered — directly defeating the tampered-vendor-script route.
- Deploy payment-page tamper detection.A monitoring tool that watches the page as the customer's browser sees it and alerts on unexpected script or header changes. This is PCI 11.6.1 — and it's what turns “we had no idea” into an early warning.
- Patch relentlessly. Keep your e-commerce platform, plugins, and themes current — most direct compromises exploit a known, already-patched flaw.
- Lock down the admin. Enforce MFA on every admin and CMS login, and limit who can edit site code. A stolen admin password is the fastest way in.
- Add monitoring and response. File-integrity monitoring on the server and modern EDR shorten the time a skimmer can run, and a 24/7 team means an alert at 2 a.m. is actioned, not just logged.
Our free Security Grade scan checks the security headers (including Content-Security-Policy) that block skimmers from exfiltrating data — enter your domain and see where you stand.
Run the free scanThe bottom line
If you take card payments through a web page, formjacking is now both a real threat and a compliance obligation. The attack is quiet, the victims are disproportionately small businesses on unattended platforms, and PCI DSS 4.0 no longer treats protection as optional. The good news: the same handful of controls — script management, a CSP and SRI, patching, MFA, and payment-page tamper detection — satisfy the requirement and actually stop the skimmer.
Related reading: why network segmentation limits the blast radius, managing third-party and vendor risk, and the complete SMB cybersecurity checklist.
Frequently Asked Questions
What is formjacking?
Formjacking is an attack that injects malicious JavaScript into a website's payment or form pages to silently steal what customers type — card numbers, CVVs, names, and addresses — as they check out. It's also called web skimming, e-skimming, or Magecart (after the criminal groups that popularised it). The page keeps working normally, so neither you nor the customer notices; a copy of the data is quietly sent to the attacker.
How does formjacking get onto a site?
Two common ways. First, directly: attackers exploit an unpatched e-commerce platform, plugin, or admin login and edit your site's code. Second — and increasingly — through a third party: they compromise a script your site loads (analytics, chat, ads, a payment widget, a tag manager), so the malicious code arrives from a vendor you trust. That supply-chain route is why script monitoring matters as much as patching.
Does PCI DSS require formjacking protection?
Yes. PCI DSS 4.0 added two requirements aimed squarely at payment-page skimming, and they became mandatory on 31 March 2025: Requirement 6.4.3 says you must inventory and authorise every script that loads on the payment page and confirm its integrity, and Requirement 11.6.1 says you must deploy a change- and tamper-detection mechanism that alerts on unauthorised changes to the payment page and its HTTP headers as received in the customer's browser. Any business that takes card payments through a web page is in scope.
Are small businesses really targeted by formjacking?
Yes — arguably more than large ones. Attackers run automated scans for known-vulnerable e-commerce platforms and plugins, then skim whatever checkout they find. A small store on an out-of-date platform is an easy, unattended target, and the skimmer can run for months before anyone notices. You don't need to be big to be worth skimming; you need an online checkout and a gap.
How would I even know if my checkout was skimmed?
Often you wouldn't, without monitoring — that's the point. The tell-tale signs are indirect: your bank or card processor flags your site as a common point of purchase for fraud, customers report fraud after buying from you, or a tamper-detection tool alerts on an unexpected script change. Deploying the PCI DSS 4.0 change-detection control (11.6.1) is what turns 'we had no idea' into an early warning.
Worried your checkout is exposed?
Get a free 30-minute assessment. We'll review your payment-page scripts, headers, and PCI DSS 4.0 posture, and hand you a plain-English list of what to fix first.
Get Free Assessment