How can CSP help meet PCI DSS 4.0 Compliance Requirements?

Section 6.4.3 of PCI DSS 4.0 defines requirements for scripts (typically JavaScript or you could extrapolate that to also mean CSS files, or any other assets loaded that can cause dynamic code execution on the client, check with your PCI QSA) loaded on payment pages. Summarizing the following points:

• Script Authorization - you must have a way to ensure that only the scripts you have approved to load are loaded on the page. CSP can help with this.
• Script Integrity - you have to have a way verify the integrity of each script that will run on the payment page. CSP and / or Sub-resource integrity (SRI) hashes can help you meet this requirement.
• Script Inventory - you need to keep a list of what scripts are allowed to run and why it is needed.

Script Authorization

CSP or Content-Security-Policy was essentially designed for the purpose of authorizing scripts to run on a page. That makes CSP a great way to help meet parts of PCI Requirement 6.4.3

At a very minimum you can use the script-src or even the default-src directive to control what scripts can load.

A very basic Content-Security-Policy header might look like this:

Content-Security-Policy: script-src js-cdn.example.com; default-src 'self';

In this very basic example we are allowing images, css, fonts, etc to be loaded from 'self' (the same domain as the requested document).

Many CSP implementations will simply use the domain name, but we can actually be more specific and allow only a specific JS file to load:

Content-Security-Policy: script-src https://js-cdn.example.com/some-script.js;default-src 'self';

You can space separate as many scripts as you need. Keep in mind that some servers might limit the size of your http response header.

Script Integrity

A great way to ensure integrity of scripts loaded is the Subresource Integrity or SRI feature. Here's an example of loading jQuery with a integrity attribute:

<script
  src="https://code.jquery.com/jquery-3.6.0.min.js"
  integrity="sha256-/xUj+3OJU5yExlq6GSYGSHk7tPXikynS7ogEvDej/m4="
  crossorigin="anonymous"></script>

The value of the integrity attribute what we expect the SHA-256 hash of the src attribute (https://code.jquery.com/jquery-3.6.0.min.js) to be. Browsers that support SRI will perform this verification before executing the script.

This provides a great protection, because if someone were to compromise code.jquery.com and alter that script, it would fail to execute as long as that integrity script is present and the browser supports it.

By default when you enable CSP, it will block the execution of inline JavaScript. CSP can be used to provide a hash validation of inline scripts on your page by adding a hash to the script-src directive.

For example, if you have this inline script:

<script>doSomething();>/script>

The value of doSomething(); has a SHA-256 hash of RFWPLDbv2BY+rCkDzsE+0fr8ylGr2R2faWMhq4lfEQc= and you can then allow the execution of it like this:

script-src 'sha256-RFWPLDbv2BY+rCkDzsE+0fr8ylGr2R2faWMhq4lfEQc=';

Script Inventory

CSP could be used to keep a list of scripts that are allowed to run, but you'll need to document why each one is required separately.

Disclaimer

This page was not written by a PCI QSA, use at your own risk. Please consult with your PCI QSA for implementation and compliance advice.

CSP Developer Field Guide

Want to learn the ins and outs CSP? Grab a copy of the CSP Developer Field Guide. It's a short and sweet guide to help developers get up to speed quickly.

Grab a Copy