The Scripts on Your Checkout Page Are Now a PCI DSS Problem

The Hacker NewsJun 18, 2026Payment Security / Compliance

An independent PCI assessor tested Reflectiz against the new PCI DSS rules. Here is the verdict: See the full QSA assessment here →

When a customer types their card number into your checkout, their browser is running far more than your code. Analytics tags, a tag manager, a support widget, a payment iframe: a modern checkout loads dozens of third-party scripts, and any one of them can be turned into a skimmer.

This is how Magecart works. Sansec has counted more than 100,000 sites hit by web skimming and supply-chain attacks. The 2018 British Airways breach alone exposed 380,000 transactions and a fine that started at £183 million.

The dangerous part: the malicious code usually arrives through a script you already approved. Attackers compromise a third-party vendor, and the payload rides in on a script you have run for months. Nothing looks new. What changed is the script's behavior, not its presence on the page.

The Hacker NewsJun 18, 2026Payment Security / Compliance

An independent PCI assessor tested Reflectiz against the new PCI DSS rules. Here is the verdict: See the full QSA assessment here →

The Scripts on Your Checkout Page Are Now a PCI DSS Problem

The Scripts on Your Checkout Page Are Now a PCI DSS Problem

Other newsrooms on this story

Related reading

Stripe Blog: Engineering

Stripe Blog: Product

Why We Rebuilt Our Magento Checkout with React: Performance Results

Stripe Blog: Archive

Checkout Friction Detector: A Lightweight JavaScript Library for Finding…

How We Cut Magento Checkout Drop-off by 34% with a React Frontend

Other newsrooms on this story

Related reading

Stripe Blog: Engineering

Stripe Blog: Product

Why We Rebuilt Our Magento Checkout with React: Performance Results

Stripe Blog: Archive

Checkout Friction Detector: A Lightweight JavaScript Library for Finding…

How We Cut Magento Checkout Drop-off by 34% with a React Frontend