Scott Fiesel

Blog | Source Defense

by Source Defense Even with the PCI DSS 4.0 deadline now behind us, many organizations are still exposed to costly eSkimming threats and compliance gaps. Source Defense recently hosted a webinar to explore how compliance actually drives better business outcomes – as seen through the lens of the positive bottom ... Read More

by Source Defense Don’t Trust Your Online Revenue Channel to Sub-par Solutions for eSkimming Security (Beware the big box “me too” solutions) As PCI DSS 4.0.1 enforcement has driven demand for eSkimming security and compliance controls (also known as client-side protection), several big-box CDN and “swiss army knife” security vendors ... Read More

by Source Defense The Source Defense Research team has uncovered another active eSkimming campaign which demonstrates the use of novel techniques, and an increasing adversarial focus on attacking websites with techniques that bypass eSkimming security controls which focus solely on protecting payment pages. This indicates an evolution on the part ... Read More

by Source Defense On a recent Source Defense roundtable, seasoned QSAs gathered to discuss the latest PCI DSS 4.0.1 updates—specifically requirements 6.4.3 and 11.6.1—and how organizations should respond. What followed was a frank, practical, and sometimes surprising conversation about merchant eligibility, the limits of iframe protection, and what compliance now ... Read More

by Source Defense A recent incident at Blue Shield of California highlights the critical importance of client-side security controls when implementing third-party scripts on healthcare websites. The nonprofit health plan has disclosed a significant data breach affecting 4.7 million members, stemming from a misconfiguration of Google Analytics on their web ... Read More

Source Defense Research Blog | April 23, 2025 A Familiar Threat Resurfaces in the UK Our Source Defense Research team has uncovered an active Magecart-style eSkimming attack targeting a major UK-based online homeware retailer among a list of others. This campaign employs the same technique we observed earlier this year ... Read More

by Source Defense When attackers are clever enough to name their cookie “csp_f_y,” you know they’re not just exfiltrating data—they’re mocking your defenses. In a recent attack spotted by the Source Defense Cyber Research team, a compromised first-party script on a payment page stored sensitive data in a cookie named ... Read More

by Source Defense A newly discovered payment card skimming campaign has emerged exhibiting a concerning level of sophistication and leveraging unique tactics that make detection highly challenging. The attack, identified by Source Defense researchers, employs an innovative technique that exploits Stripe’s deprecated API to verify card details before exfiltration – ... Read More

by Source Defense The PCI Council’s recent update to SAQ-A merchant requirements will spark questions and confusion across the eCommerce ecosystem. Under the changes, SAQ-A merchants will no longer have to specifically follow requirements 6.4.3 and 11.6.1 – but in order TO BE SAQ-A eligible, they must still have eSkimming ... Read More

by Source Defense The PCI Security Standards Council’s recent update to SAQ-A merchant eligibility and compliance requirements introduces significant changes with just weeks to go before the March 31st deadline for 6.4.3 and 11.6.1…shocker. The TL:DR? Under the changes, SAQ-A merchants will no longer have to specifically follow requirements 6.4.3 ... Read More