Script injection is bad and all but doesn’t convey the fact that sensitive data is being sent to 3rd parties. Skimming, or card skimmer, immediately triggers thoughts of exfiltration.

I support the use of the term in this case.