The Invisible Thief Sitting on Your Favorite Retailer’s Checkout Page — and How to Protect Yourself

The most sophisticated payment card theft happening right now does not involve a stolen wallet or a cloned card reader — it happens in the 400 milliseconds between when you type your card number and when the merchant’s server receives it. It is called a Magecart attack, and it has hit Warner Music Group, British Airways, and hundreds of smaller retailers that never made the news. A malicious script, injected into a third-party component of a retailer’s website, silently copies your card data and sends it to attackers in real time. You see a normal checkout experience. The theft is already done.

As a consumer, there are meaningful protections you can take. Using virtual card numbers offered by your bank creates a one-time use credential that is worthless if stolen. Apple Pay, Google Pay, and contactless payment methods through your phone tokenize your actual card number so that the merchant never sees it. Checking your card statements weekly — not monthly — allows you to catch unauthorized charges before they age into disputed territory.

For the businesses on the other side of this equation, PCI DSS v4.0’s new requirement for continuous monitoring of payment page scripts was written precisely to counter Magecart. It is not optional. It is not just for large merchants. It is the baseline that every organization accepting online payments must now meet — and most do not yet.