[vkjv]

Unfortunately, PCI does not put very many restrictions on the parent website. If credit card elements are in an iFrame, the parent site is excluded from most requirements because the iFrame is "secure."

Of course, if you own the parent site you can replace the iFrame with anything you want.

[marak830]

I'm still confused as to how they could insert code here.

Are we talking about a server intrustion where they modified the actual cart code, or something between Newegg and the payment servers? (Sorry this isn't my domain, I'm just curious)

[lacker]

It looks to me like a server intrusion where they modified static files kept on a webserver (like apache or nginx). But it also seems like we don't have enough evidence to know for sure. (Edit: or they might have been static files kept on a CMS.)

[tyingq]

PCI also doesn't necessarily mandate some common sense things either, like monitoring for unexpected changes on the cart page.

[vkjv]

FWIW, I just checked and they don't use an iFrame approach. This means their entire checkout page must be in scope for SAQ-D.