Share this article

Preparing Your Store for PCI DSS 4.0

Circuits on Blue Field

Get The Print Version

Tired of scrolling? Download a PDF version for easier offline reading and sharing with coworkers.

With the PCI DSS 4.0 compliance deadline of March 31, 2025 on the horizon, we’re working hard to ensure our servers are compliant with the new standards, and to provide you with tools to help you make sure your ecommerce store remains PCI compliant.

With that said, we’re excited to announce that coming soon, you will be able to add a nonce in the Content Security Policy (CSP) header to make certain that any inline scripts you are using to customize payment pages are safe and secure for your customers. Payment pages consist of any pages where credit card information can be entered by a shopper, such as the checkout, web pages, and the My Account section of storefront accounts.

Prepare now, and relax later

The toggle for CSP header nonce protection for payment page scripts will enable you to generate and enforce a nonce in the CSP for custom inline scripts on your payment pages. Once it is released in December, you will find this setting in the control panel, under Security & Privacy.

Nonce CSP toggle

As this security feature is rolling out during the holiday season for many stores, we recommend taking the time now to update any applicable payment scripts in advance. This ensures that the scripts are already labeled as authorized and secure internally before enabling the “nonce protection for checkout scripts” setting in your store.

You will need to identify which scripts in the Script Manager are used on payment pages and whether they are Script or URL type scripts.

Script Manager Script Types

For all Script type scripts you’ve added via Script Manager or Script API, a matching nonce is automatically added so there is no additional work needed to ensure that the script works when there is a nonce in the CSP header.

If you are currently using any URL type scripts, you will need to add a Subresource Integrity (SRI) hash. 

URL script integrity hash field

For any custom scripts you have added directly to the theme files, you will need to work with a developer to manually add the nonce handlebar called { { nonce } }. This handlebar will always resolve to a value that matches the nonce generated in the CSP header, and can be manually added to script tags. For example, <script nonce=”{{nonce}}”>console.log(“this is a sample nonce”); </script>.

The final word

Our mission is to help you create an engaging shopping experience for your customers, with the knowledge that their payments are safe and secure every time a purchase is made. Providing you with the tools and knowledge to prepare for the nonce CSP header ahead of its rollout will give you peace of mind in allowing you to update your payment scripts on your own schedule before the height of the busy season for many businesses and people. This is also another step in  ensuring your store stays PCI compliant after the 4.0 compliance deadline in March 2025.

For more information on how to add SRI hashes to your scripts, see Using Script Manager in the Help Center.