Researchers at ecommerce security firm Sansec have uncovered a card-skimming campaign that hides inside two services online stores trust by default: Stripe and Google Tag Manager. The skimmer lives inside a Stripe customer record, activates on checkout pages, and files every stolen card away as a fake customer in the attacker’s own Stripe account, as reported by BleepingComputer. Because all the traffic flows through api.stripe.com, the security filters most websites rely on wave it straight through. The operation has been running since at least Christmas Eve 2025.

If your venue takes bookings, deposits or gift card sales online, your checkout page is exactly what this campaign targets. This wave hits Magento and Adobe Commerce checkouts, but the technique — malicious code hiding inside trusted third-party scripts — works on any platform that loads tag managers or analytics on a payment page. And that’s most of them. For a hospitality business, a skimmed card means chargebacks, an angry guest, and potentially a notifiable data breach under the Privacy Act.

Three questions to ask this week

Put these to whoever runs your website. What scripts load on our checkout page, and who approved each one? Are we monitoring those scripts for changes — something PCI DSS version 4 now expects of merchants? And who still has access to our Google Tag Manager account? Tag managers are a favourite hiding spot precisely because someone in marketing set them up years ago and nobody’s looked since.

If your website, bookings and payments stack has grown organically and nobody really owns its security, that’s fixable — it’s exactly what our hospitality IT team does.