Configuring Open Checkout to comply with PCI DSS 4.0 Section 6.4.3
If you’re using a custom checkout based on a fork of the checkout-js (opens in a new tab) repository, you will need to make changes in order to meet PCI DSS 4.0 compliance requirements. This guide outlines the steps and actions you need to perform.
Step 1 - Upgrade checkout-js
The version of your custom checkout needs to be based on checkout-js version “1.548.2” or greater to support the steps outlined in this guide.
As a result, you need to update (rebase) to at least version 1.548.2. Otherwise, you’ll need to implement your own SRI hash implementation.
Step 2 - Add a Subresource Integrity (SRI) hash
Generate a SRI hash value
The hash value begins with at least one string, with each string including a prefix indicating a particular hash algorithm, followed by a dash, and ending with the actual base64-encoded hash. Currently, the allowed prefixes are sha256, sha384, and sha512.
Example SRI with base64-encoded sha256 hash:
sha256-UBTNJgpQN2JFDVDfkWo2E8YjORLhYFMs3J8OJEfXbegYou must generate a SRI hash for your custom checkout entry file.
Use the following command to generate a base64-encoded sha256 SRI hash:
openssl dgst -sha256 -binary autoloader.js | openssl base64 -AAdd the SRI hash to the entry file of the custom checkout
In the control panel, navigate to Settings > Checkout, and select Custom Checkout. Enter your generated SRI hash value in the provided field for custom checkout.
By adding the SRI this way, BigCommerce will automatically set integrity on the custom checkout script tag.
<script src=”http://127.0.0.1:8080/autoloader.js” integrity=”sha256-UBTNJgpQN2JFDVDfkWo2E8YjORLhYFMs3J8OJEfXbeg” crossorigin=”anonymous”>
</script>If you are using a multi-storefront setup and have a channel-specific custom checkout, navigate to Channels > Storefronts > Edit settings > Checkout instead.
Add the SRI hash to the entry file of the custom order confirmation page
If you use a custom order confirmation with a different script URL than the custom checkout, you’ll need to generate a SRI hash specifically for the order confirmation. In the control panel, navigate to Settings > Checkout, and select Custom Checkout. Enter your generated SRI hash value in the provided field for the custom order confirmation.
Step 3 - Add the nonce handlebar for custom scripts
For any custom scripts you have injected into the Stencil theme files, you will need to manually add the nonce handlebar called {{nonce}} to your script tags. This handlebar will always resolve to the value that matches the nonce generated from the CSP header.
Example of the nonce handlebar added to a custom script:
<script nonce=”{{nonce}}”>console.log(“this is a sample nonce”); </script>Cornerstone PR Example (opens in a new tab)
Step 4 - Enable the Nonce-Based Script Authorization
Go to Settings > Security & Privacy and enable Nonce-based Script Authorization.
While nonce-based authorization is not explicitly required by PCI DSS 4.0, it satisfies the requirement to provide a method by which each script can be verified by providing a unique one-time-use random code. Scripts without this code are blocked, while scripts with the correct code are allowed.
Step 5 - Enable dynamic Javascript execution (Optional)
When you enable Nonce-Based Script Authorization, another option will appear below it to allow dynamic script execution. If possible, we recommend that you update your custom checkout to avoid dynamic code execution or use safer alternatives like event handlers and pre-defined functions and disable this option. If this is not possible, you can enable this option which will then allow dynamically generated Javascript to work by adding unsafe-eval as an allowed script source in your CSP.
Troubleshooting Tips
If your checkout page does not load, it is likely due to a failed integrity check. Re-generate the SRI hash using the latest version of your custom checkout’s entry file and ensure it is correctly entered in the control panel. You’ll need to update the hash each time the script is updated.
What will happen if I don’t add a SRI hash?
The custom checkout will continue to work. However, PCI DSS 4.0 requires that all scripts have a method implemented to ensure the integrity of the script. The SRI is our recommended method to meet this compliance requirement.
If checkout-js version is not updated to 1.548.2, can I continue without adding SRI?
You can continue using an older version of checkout-js. Older versions of checkout-js won’t recognize the SRI hash entered in the control panel.
What if I change the contents of my script?
You will also need to update your SRI hash. The integrity hash is based on the contents of the script so if the updated contents do not match, the script will not execute.
Useful References
- Preparing Your Store for PCI DSS 4.0 (opens in a new tab)
- Security and Privacy Settings (opens in a new tab)
- Subresource Integrity (opens in a new tab)
- nonce (opens in a new tab)
- Unsafe-eval Expressions (opens in a new tab)
- OpenSSL Command Line Utilities (opens in a new tab)