- Featured
B2B Edition
Advanced B2B features for enterprise plans.Catalyst
NewCreate stunning, high-performing storefronts that captivate and convert.Feedonomics
Omnichannel feed and data transformation.Multi-Storefront
Manage multiple unique stores from one account.International
Grow your brand across the globe.
- Launch Services
Overview
Chart your path to success with specialized services.Implementation Project Management
Experts to ensure you launch on time and under budget.Solution Architecture
Seasoned advisors to help you best design your store.Data Migration & Optimization
Expertise on a clean and clear path to migrating your data.Enterprise Launch Package
Personal training on how to set up and launch your BigCommerce Store.
Professional Services Blog Series
Get to know our teams and how they support your success in this Q&A series.
The Global B2B Buyer Behavior Report
This in-depth report provides actionable strategies to help you sell more online.
Updates for PCI DSS 4.0 6.4.3
Updates for PCI DSS 4.0 6.4.3
Get The Print Version
Tired of scrolling? Download a PDF version for easier offline reading and sharing with coworkers.
A link to download the PDF will arrive in your inbox shortly.
We previously announced several tools to help you prepare your store to meet PCI DSS 4.0 6.4.3 requirements. As we approach the March 31, 2025 deadline, we’re excited to provide you with an update on several features and settings.
Starting March 4, 2025, a nonce-based authorization toggle will be added to the control panel Security & Privacy settings. Earlier this month, we also added subresource integrity (SRI) hash fields to custom checkout and order conformation scripts.
Script security settings
In the control panel Security & Privacy settings, toggling the Enable Nonce-Based Script Security setting generates a random nonce value for every page request. The nonce is added to the Content-Security Policy (CSP) header of pages that involve the collection of credit card information such as checkout and account pages.
The generated nonce value is also added to script tags using the nonce attribute and nonce handlebar expression. When a browser loads a page containing scripts and the nonce values do not match, the script is blocked from running.
If you are using a custom CSP with an existing script directive, the more restrictive policy (the nonce, in this case) will take precedence. For example, if you have a custom CSP with a script-src ‘self’ directive, this would have previously allowed any scripts from the same host origin. However, the browser will now prioritize the matching nonce and ignore the directive.
Scripts added via Script Manager, web analytics scripts, payment integration scripts, and checkout scripts automatically include the nonce attribute with a matching value in their script tags.
Enabling nonce-based authorization restricts the execution of scripts to only those with an approved nonce. However, even with an approved nonce, if your store relies on dynamically generated JavaScript, such as eval( ) functions, these scripts will not execute under this stricter policy. If possible, we recommend updating your scripts to avoid dynamic code execution or use safer alternatives like event handlers and pre-defined functions.
For instances where this is not possible, we have added the Allow dynamic script execution setting. This allows dynamically generated JavaScript to work by adding ‘unsafe-eval’ as an allowed script source in your CSP.
Nonce attributes are supported by BigCommerce themes
To implement these new script security settings, the full catalog of BigCommerce developed themes has been updated to support the addition of nonce attributes.
Nonce is supported in version 6.16.1 and higher of our free Cornerstone theme. Our other themes support nonce-based authorization, but require the Allow dynamic script execution setting to also be enabled. These include Capacity version 6.0.1, Fortune 4.0.1, Merchant 6.0.1, and Peak 5.0.1.
For any other themes, including custom versions of these themes, you will need to manually add the nonce handlebar {{nonce}} to your script tags or work with your theme developer to ensure that nonce is supported.
Script integrity for custom checkouts
Our Optimized One-Page Checkout settings allow merchants to enter scripts that enable custom checkout and order confirmation pages.
We’ve recently included fields where you can add a subresource integrity (SRI) hash to verify the integrity of the scripts that run on these pages. To generate an SRI hash for inclusion in these fields, work with your script host or provider.
While using a SRI hash on the order confirmation page falls outside of PCI scope, as no payment information is collected, we added the field as an option for merchants who want improved security on that page.
Custom checkout is also compatible with nonce-based authorization, as we add the nonce to the custom checkout loader script, allowing browsers to confirm that the script is authorized.
The final word
We’re pleased to help you give your customers an engaging shopping experience, while keeping their payment details safe and secure. Our goal is to give you peace of mind by providing you with the tools and knowledge to safeguard your payment pages ahead of the PCI DSS 4.0 March 31, 2025 deadline.
