Another option would be hosting locally on their own backend the payment scripts and redirect all the call through a proxy to them. If they already hacked your backend, you have way larger problems than a rogue JS. I know it might not be possible for most cases, but for things that you now must be controlled it is better to have them under your control. If for whatever reason their JS code needs to change, it is the engineering team (development & infrastructure) who should be notified first.