Web Exposure Melbourne: Insights from the Latest Roundtable

Last week, we hosted a room full of digital security, privacy, and compliance leaders from some of Australia’s top retail and e-commerce brands to get their unique takes on the real-world challenges businesses are facing as they navigate today’s web exposure threats.

From PCI DSS 4.0 to Australia’s privacy crackdown, the common theme was clear: what’s running in your customers’ browsers is no longer something you can afford to ignore.

Here are the key takeaways from the discussion.

1. The Web Exposure Threat Landscape is Maturing Fast

Even after all this time, client-side attacks like Magecart are still evolving. The crude, card-skimming attacks of the 2010s have morphed into a stealthy, persistent threat that’s targeting high-traffic retail sites and exploiting blind spots in third-party integrations.

We explored emerging techniques like WebSocket-based exfiltration and DoubleClickjacking—advanced ways attackers are using to silently extract sensitive data without tripping server-side alarms.

Your website isn’t just yours anymore: it’s also at the mercy of marketing scripts, plugins, CDNs, shadow IT, and open-source tools that often lack any centralised governance.

2. CSPs and Tag Managers Are Not Enough

Many organisations assume that Content Security Policy (CSP) headers or their tag management system offer adequate protection, but that isn’t the case. Unfortunately, attackers are now compromising trusted domains, effectively bypassing the CSP altogether.

Scripts from chat tools, personalisation engines, or analytics vendors may be implicitly trusted, which is bad news given that they can be exploited.

As one attendee put it: “We’ve done the CSP, but we still don’t know what half these scripts are doing.”

3. PCI DSS 4.0 (Section 6.4.3) is Causing Operational Pain

The new PCI requirements, particularly 6.4.3 and 11.6.1, are forcing teams to manually inventory, justify, and monitor every payment page script. It’s tedious, siloed work that often involves IT, marketing, and legal teams, too, but our customers shared how Reflectiz helped them reduce this burden. Its smart behavioural analysis and bulk approvals features dramatically reduced their script-related chores,, so that by their estimates, they realised time savings of more than 90% compared to their previous method.

The problem isn’t just compliance, it’s the operational load on teams that are already stretched thin.

4. Privacy Pressure is Growing in Australia

Delegates touched on the increasing regulatory scrutiny in Australia. With OAIC and ACCC investigations heating up, businesses are under pressure to demonstrate consent, cookie control, and clear boundaries around trackers.

Our platform’s new privacy and tag governance dashboards generated strong interest, especially among those struggling to validate third-party behaviours for privacy reporting.

In the words of one attendee, “I’m getting more worried about privacy fines than breaches right now.”

5. Continuous Web Threat Monitoring is Now a Must

We wrapped up with a powerful reminder: you can’t protect what you can’t see. Without real-time monitoring of client-side behaviour, you’re flying blind. Reflectiz offers a non-invasive, agentless way to illuminate the true extent of your exposure and reduce risk.

Whether you’re trying to hit a PCI milestone, reduce reliance on brittle manual processes, or defend customer trust, web exposure management is no longer optional.

Final Thoughts

This was a thoughtful, open conversation that showed just how widespread these problems are and how urgent they are becoming. We’re grateful to the leaders who joined us and shared their stories, and we’re excited to continue building a more secure, transparent, and safe web experience together.