Preparing Your Store for PCI DSS 4.0
Get The Print Version
Tired of scrolling? Download a PDF version for easier offline reading and sharing with coworkers.
A link to download the PDF will arrive in your inbox shortly.
With the PCI DSS 4.0 compliance deadline of March 31, 2025 on the horizon, we’re working hard to ensure our servers are compliant with the new standards, and to provide you with tools to help you make sure your ecommerce store remains PCI compliant.
With that said, we’re excited to announce that coming soon, you will be able to add a nonce in the Content Security Policy (CSP) header to make certain that any inline scripts you are using to customize payment pages are safe and secure for your customers. Payment pages consist of any pages where credit card information can be entered by a shopper, such as the checkout, web pages, and the My Account section of storefront accounts.
The toggle for CSP header nonce protection for payment page scripts will enable you to generate and enforce a nonce in the CSP for custom inline scripts on your payment pages. Once it is released in December, you will find this setting in the control panel, under Security & Privacy.
As this security feature is rolling out during the holiday season for many stores, we recommend taking the time now to update any applicable payment scripts in advance. This ensures that the scripts are already labeled as authorized and secure internally before enabling the “nonce protection for checkout scripts” setting in your store.
You will need to identify which scripts in the Script Manager are used on payment pages and whether they are Script or URL type scripts.
For all Script type scripts you’ve added via Script Manager or Script API, a matching nonce is automatically added so there is no additional work needed to ensure that the script works when there is a nonce in the CSP header.
If you are currently using any URL type scripts, you will need to add a Subresource Integrity (SRI) hash.
For any custom scripts you have added directly to the theme files, you will need to work with a developer to manually add the nonce handlebar called { { nonce } }. This handlebar will always resolve to a value that matches the nonce generated in the CSP header, and can be manually added to script tags. For example, <script nonce=”{{nonce}}”>console.log(“this is a sample nonce”); </script>.
Our mission is to help you create an engaging shopping experience for your customers, with the knowledge that their payments are safe and secure every time a purchase is made. Providing you with the tools and knowledge to prepare for the nonce CSP header ahead of its rollout will give you peace of mind in allowing you to update your payment scripts on your own schedule before the height of the busy season for many businesses and people. This is also another step in ensuring your store stays PCI compliant after the 4.0 compliance deadline in March 2025.
For more information on how to add SRI hashes to your scripts, see Using Script Manager in the Help Center.