The Payment Page That Passed Your Last Audit Isn’t the One Running Now

Beyond PCI DSS compliance: what an expert panel had to say about the accountability gap no framework alone can close, and why passing your assessment doesn’t mean your checkout page is safe.

Watch the full experts panel discussion here. 

A successful PCI audit doesn’t mean your checkout is safe. A company can pass its assessment and still find that customer card data is being skimmed off the checkout page by a third-party script that changed after the review.

This isn’t a problem with the version 4 update fixed. In January 2026, researchers at Silent Push documented a skimming campaign that had been running since early 2022, meaning it was active before and after the March 31, 2025 deadline, when the new payment-page requirements became mandatory.

It was harvesting card data across six major networks, including Mastercard, American Express, and Discover. Its cleverest trick: the malicious script checks for a logged-in WordPress administrator and self-destructs if it sees one, so anyone auditing the page sees nothing wrong.

According to Recorded Future, the number of e-commerce sites hit by skimmers roughly tripled in 2024, to around 11,000. So there is a real chance you could pass your assessment and still be bleeding card data right now.

This gap was the subject of a recent Reflectiz panel, Beyond PCI DSS Compliance: Who Owns Payment Risk in 2026, a lineup built to argue with itself. Úna Dillon, Regional Director for Europe at the PCI Security Standards Council, represented the body that writes the requirements. Deepak Kumar, CISO of APEXX Global, brought the payments-industry view. Mark Barry, Senior Security Operations Manager at Domino’s Pizza UK and Ireland, and Pete Chenery, Global Head of Cyber Security at Naked Wines, brought the daily reality of defending high-traffic checkout pages. Host Leor Eliashiv, Reflectiz’s UK and Ireland country manager, kept the pressure on a single question: when compliance and security stop being the same thing, who is actually holding the risk?

Compliance is a snapshot. Your checkout is a film.

That is the reality merchants face, because attackers have shifted their focus. For years, the instinct was to fortify the server. But modern payment pages pull in dozens of external scripts: analytics, A/B tests, marketing pixels, tag managers. Each one is a doorway into the browser itself, where attackers intercept card data before encryption ever becomes relevant. PCI DSS 4.0.1 responded with two requirements: 6.4.3 (keep an inventory of every script on your payment pages) and 11.6.1 (monitor those scripts for unauthorized change on an ongoing basis).

But even the body that writes the standard was candid about its limits:

"PCI DSS was never intended to be viewed as the ceiling for security. It's a strong baseline."

You can complete an assessment and still carry blind spots: unmanaged scripts, unauthorized browser changes, weak monitoring. You can be compliant today and not compliant tomorrow, Dillon noted, because of the speed at which these scripts are attacked. Deepak Kumar made the stakes concrete:

"If a script is changed today, millions of transactions can happen before it's identified as malicious. By then, the damage is done."

A point-in-time assessment cannot see that. Continuous visibility can.

Dillon also named the misconception underneath all of this: the assumption that if the payment provider is secure, the payment page itself is secure. Attackers increasingly target the layer around the transaction rather than the processor itself.

"The modern payment page is effectively part of the security perimeter now, and it should be governed accordingly."

Click here to watch the full experts panel discussion >>

The number that reframes the threat

One of the most arresting moments came from Reflectiz’s own research across 4,700 websites, which found that 64% of third-party applications had access to sensitive data they did not need, up from 51% the year before. These were not sophisticated attacks, just over-permissioned scripts sitting on data they had no business touching, and nobody noticed. The headline fear is the exotic skimmer. The everyday exposure is the legitimate script with too much reach.

And that reach is not only a security problem. A script quietly collecting more than it needs is a data-protection problem too, and regulators have begun treating a stated claim of compliance as a promise they will hold you to, not a box you once ticked.

So, who owns the risk?

This is the accountability gap the panel set out to name: the space between where formal compliance ends and where real accountability must begin. In most companies, marketing owns the pixels, digital owns the experience, and security owns the risk. So when a script drives revenue and creates exposure, who gets the final say?

The panelists admitted the answer can be messy, and offered some of their sharpest practical thinking on closing the gap. The simplest move came from Mark Barry at Domino’s, who treats third-party script access exactly like a user access review:

"This script's got access to this data. Do you still need that access, and can you justify why you need to have it?"

Scripts that cannot answer get scoped down or removed, on a monthly or quarterly cycle rather than once a year. On who holds the authority to actually stop a risky script, Deepak Kumar pointed to the standard itself:

"The standard has a requirement, 12.1.4, of executive management-level authority to stop the risk when it exceeds your appetite."

The panel also dug into why treating the assessment as a finish line is a regulatory risk in its own right.

For Mark, the stakes were never really about the audit. Asked how the gap between compliance and day-to-day reality looks on the ground, he reframed it around customer confidence and reputational risk:

"If people lose confidence in what we're doing, then there are other pizza brands available."

The point applies to any business.

And then there’s AI

The panel also split on how much AI changes the picture. Pete Chenery of Naked Wines was blunt about the uncertainty:

"I don't think we know yet, and we may not even know in another five years."

The optimistic read is that AI sharpens defenders’ tools. The worry is that it lowers the bar for entry, so attackers no longer need deep skill:

"People are tinkering and probing a lot more, and that's down to the fact that they can use an AI platform and generate something off the bat."

Nobody disputed the pace, with Chenery expecting more change over the next twelve months than in the last several years combined. Where the panel landed on how defenders should respond is one of the threads worth hearing in full.

Watch the full conversation

The panel goes further than any summary can on the AI threat, vendor accountability, and what security and compliance leaders should be doing now to close the gap.

Watch Beyond PCI DSS Compliance: Who Owns Payment Risk in 2026 on demand →

And if you want to see what is actually executing on your own payment pages right now, you can start a free Reflectiz trial.