Credit card fraud expert here:<p>This happens way more often than you think, particularly with sites that aren't known to you and me. It's entirely trivial to do, very effective, and maintenance next to nothing — but you already know that. As companies continue to choose Stripe/Braintree/etc and maintaining PCI compliance with their payment processor, keyloggers are being deployed less and less.<p>What is needed is a browser extension that checks all requests which contain a param/form data that is 16-digits long and starts with 4/5/6 or 15-digits long and starts with 3. Is such a thing fool-proof? No, it's not. But it'd be a starting point. Maybe add a listener to any inputs that contain such a val to see if anything's hooking into it. Need to whitelist it for ancient processors? Okay, prompt the user.