PCI DSS v4.0.1 includes requirements for merchants to manage the risks associated with the scripts and iframe elements loaded into their ecommerce payment pages. These requirements are for Web online payments integrations.
This page gives a brief overview of the specific PCI DSS v4.0.1 requirements related to script security, and provides recommendations for how to comply with these requirements.
When creating these recommendations, Adyen considered implementations advised by the PCI Security Standards Council (PCI SSC) in their formal guidance document: Payment Page Security and Preventing E-Skimming - Guidance for PCI DSS Requirements 6.4.3 and 11.6.1.
Requirements
Before you begin, check if the information on this page applies to you.
| Requirement | Description | 
|---|---|
| Integration type | The information on this page is relevant if any of the following apply to you: 
 | 
| Limitations | The information on this page does not apply if you are eligible for Self-Assessment Questionnaire A (SAQ A). | 
PCI DSS requirement 6.4.3
Requirement 6.4.3 mandates that all payment page scripts that are loaded and executed in the consumer’s browser are managed as follows:
- A method is implemented to confirm that each script is authorized.
- A method is implemented to assure the integrity of each script.
- An inventory of all scripts is maintained with written justification as to why each is necessary.
Exemption for 3D Secure authentication scripts
In a typical 3D Secure implementation, the 3D Secure server fetches and stores URLs for scripts from an EMV 3DS Access Control Server (ACS), EMV 3DS Directory Server (DS), or services connected to the ACS or DS, on behalf of an issuer or payment network. During checkout, your website shows a web page with an iframe using a URL provided by the EMV 3DS server with an applicable script to support 3D Secure functionality.
The 3D Secure script validation process is exempted from the scope of PCI DSS requirement 6.4.3, because the trust relationship with the 3D Secure service provider is established through due diligence, onboarding, and business agreements of the entities involved.
PCI DSS requirement 11.6.1
Requirement 11.6.1 mandates that a change- and tamper-detection mechanism is deployed as follows:
- It alerts personnel about unauthorized modification (including indicators of compromise, changes, additions, and deletions) to the security impacting HTTP headers and the script contents of payment pages, as received by the consumer browser's Document Object Model (DOM) throughout the payment process.
- It evaluates the received HTTP headers and payment pages.
- Any unauthorized changes must be investigated and resolved promptly.
Implement a Content Security Policy for requirement 6.4.3
To comply with PCI DSS requirement 6.4.3, we recommend that you implement a Content Security Policy (CSP) on your payment page to authorize and assure the integrity of scripts.
A CSP allows you to authorize scripts before loading them on your page. You can modify the CSP in your page header to do the following:
- Allow all internally-loaded scripts by default.
- Expressly allow scripts from non-internal domains to be loaded.
Additionally, we provide guidance on the options for reporting and alerting from your implemented CSP.
To ensure the integrity of scripts, we recommend implementing Subresource Integrity (SRI) to confirm that the files you load from Adyen have not been manipulated or tampered with by malicious actors.
To build a CSP, consider the following recommendations:
- Use a report-only CSP HTTP header.
- Allow scripts an iframes from external sources.
- Create an inventory of scripts.
- Check the integrity of scripts.
Use a report-only CSP HTTP header
This type of header causes no issues with how your integration works because it does not block any resources from loading.
By using the Content-Security-Policy-Report-Only header instead of the Content-Security-Policy header, the browser only logs the violation. It does not block any content from being loaded.
Add the following HTTP header to your page.
After you implement it, you can see the violations that show up when visiting your website. The report-only policy shows you the following.
| Field | Description | |
|---|---|---|
| default-src | This CSP directive tells the browser which domains or subdomains scripts may be loaded from. In all of our examples, we use 'self' as a trusted source, telling the browser to only load resources that are hosted on the same domain or subdomain. If sources are not defined in any other directives, they apply this default policy. | |
| font-src | What fonts may be loaded. | |
| img-src | What images may be loaded. | |
| script-src | What scripts may be loaded. | |
| style-src | What styles/css may be loaded. | 
Allow scripts and iframes from external sources
Your CSP header can allow either of the following:
- Anything, like images, scripts, media, and more, to be loaded from an external domain or subdomain.
- Only things that you specify to be loaded from an external domain or subdomain.
We recommend that you implement the following blocking policy.
- 
Change the header to Content-Security-Policy. This is a blocking policy. You can add some defined exemptions.
- 
Allow specific domains and subdomains. When you define specific sources for scripts ( script-src) and iframes (frame-src) they only allow loading resources from the specified domains, and everything else is blocked.For Adyen integrations, we recommend that you apply the following CSP configuration: If you have other third party integrations loading additional scripts, you must explicitly add them to the script-srcdirective.
Scripts and images that are loaded from other domains violate this policy and are included in the report that you configure for the CSP.
We suggest that you use the wildcard (
- Adyen loads only 3D Secure (3DS) authentication iframes. According to the PCI SSC, the 3DS script validation process is exempted from the scope of PCI DSS Requirement 6.4.3, because the trust relationship with the 3DS service provider is established through due diligence, onboarding, and business agreements of the entities involved. Because it is not possible to list all issuer domains loading iframes for 3DS authentication, a more stringent CSP might block 3DS iframes from loading.
- Not using any frame-srcdefinition might be functional but not stable. It would lead the CSP to use the default value, which is usually defined as blocking none. Therefore, some definition needs to be made. With our recommended CSP header setup, we make it possible to use CSP, but still allow loading all 3DS iframes which are exempted from the requirements.
- 
This recommended implementation could allow any iframes to be loaded. However, iframes from Adyen are sandboxed and iframes that come from 3DS issuer banks are also sandboxed. By sandboxing, issues such as cross-site scripting are prevented, not adding any additional risk. Web Browser Sandboxing allows running web applications in isolation to prevent browser-based malware from spreading to the rest of the webpage or network. Most modern browsers already have a sandbox by default to enhance the protection of the user's computer. 
Create an inventory of scripts
Following PCI DSS Requirement 6.4.3, all scripts added to your page must be in an inventory. This means that you must keep a list, including the ones required for Adyen integrations, with the business reason to use them.
Furthermore, you must have a simple periodical authorization sign-off. Ensuring that all scripts have been explicitly authorized reduces the risk of unnecessary scripts being added to the payment page without appropriate approval. However, for some cases, it can be impractical for such authorization to occur before a script is changed or a new script is loaded to the page. In these cases, the authorization should be confirmed as soon as a change is reported.
Adyen loads scripts from the following domain sources. Include them in your inventory for your Adyen integration:
| Source | Description | 
|---|---|
| *.adyen.com | Adyen-authorized domain for scripts loaded for payment-processing-associated services. | 
| pay.google.com | Allows integration with the Google Pay payment method. | 
| *.payments-amazon.com | Allows integration with the Amazon Pay payment method. | 
| *.paypal.com | Allows integration with the PayPal payment method. | 
| *.ratepay.com | Allows integration with the Ratepay payment method. | 
| *.cash.app | Allows integration with the Cash App service. | 
| *.mastercard.com | Allows integration with Click to Pay using Mastercard. | 
| *.visa.com | Allows integration with Click to Pay using Visa. | 
Check the integrity of scripts
We recommend implementing Subresource Integrity (SRI) to ensure that the files you load from Adyen have not been manipulated or tampered with by malicious actors. Use the SRI hash by doing the following.
- To the <script>or<link>elements, add theintegrityattribute.
- 
Add the crossoriginattribute. Browsers also check to ensure that the origin allows Cross-Origin Resource Sharing (CORS). If the browser detects that the file's hash does not match the specified hash, the browser does not load the resource. Find out which browsers support SRI.For each version of Adyen Web Drop-in/Components, we provide the SRI hashes that you include as the integrityattribute for the JavaScript and CSS files. In the release notes, go to the Updating to this version section for the version that you use.The following example shows how include SRI hashes for the adyen.jsandadyen.cssresources for v5.59.1:
Implement detection mechanisms for requirement 11.6.1
We recommend that you use your CSP implementation to comply with PCI DSS requirement 11.6.1. A functional CSP implementation can provide authorization and alerting in case of attempts to introduce unknown scripts or changes to currently authorized scripts. These events are considered valid alerts and "indicators of compromise" for the purpose of requirement 11.6.1.
You must collect all CSP alerts in a practical manner. You can do this by implementing the report-to directive, which sends you a report of alerts. This can help to meet the requirements included in 11.6.1, such as "alerting personnel of unauthorized modification".
- 
Create an endpoint on your server you want the browser to use for reporting CSP violations. If a CSP violation occurs, a report is generated. It contains a serialized CSPViolationReportBody object instance. Using the mechanisms of the Reporting API, the browser sends the report to your endpoint URL. 
- 
Specify the mapping between endpoint names and URLs by adding the Reporting-Endpointsresponse header to your CSP. You can use any name for your endpoints.
- 
Add report-to, specifying the endpoint URL on your server that you want the browser to use for reporting CSP violations.
- 
When a CSP violation occurs, you get a report with CSP violations. 
See also
Have a look at the following PCI DSS resources: