Script Authorization on Payment Pages: Understanding PCI 4.0 Section 6.4.3 and How We’re Providing The Tools To Keep Your Payment Pages Secure
As of March 2025, PCI 4.0 DSS will require that all scripts on payment pages have a method to verify them as authorized before execution. To comply with this requirement, BigCommerce is implementing the ability to enforce a nonce in the Content Security Policy (CSP) header, ensuring that only authorized scripts are permitted to load and execute on payment pages.
What is a CSP Nonce?
A nonce is a unique, randomly generated value that is specified in the CSP header and only scripts with the matching nonce are allowed to execute. Since the nonce is different for each page load, it is impossible for attackers to predict or reuse.
Without the correct nonce, even if a malicious actor injects a script into the page, it will not execute, as it lacks the valid nonce authorized by the server. This process ensures PCI compliance by granting explicit authorization only to scripts with the correct matching nonce.
Beginning in March 2025, any scripts added to storefront payment pages via Script Manager or the Scripts API will automatically include the appropriate nonce attribute. In addition, all first-party checkout scripts, native payment integration scripts, and scripts included with the latest version of our marketplace themes will be covered.
However, custom scripts and/or older custom themes will need to be updated and tagged with the correct nonce to authorize execution. For existing stores, the CSP nonce will be opt-in, providing you with sufficient time to update your theme and properly tag your custom scripts.
Getting Started With Updating Scripts
It is important to first define what a payment page is within the context of PCI DSS. A payment page is any web page or interface where a customer enters credit card information. For most merchants, this refers to the checkout page.
However, for merchants who offer stored credit cards for their shoppers, the My Account section is also considered a payment page, as customers can enter and store their credit card information within their Payment Method management section for future use. When determining which scripts will need updating, you should consider all storefront pages where shoppers input credit card information.
We’re providing a {{nonce}}
handlebar expression that can be used to provide explicit authorization for custom scripts.
For example, suppose you have a custom script on the checkout page:
<script> console.log (“This is my checkout page!”); </script>
In order to ensure that this script has explicit authorization to execute when there is a CSP being generated in the header, you’ll want to add the nonce into the script tag like this:
<script nonce=”{{nonce}}”> console.log (“This is my checkout page!”); </script>
What’s next?
Specifying a nonce in the Content-Security-Policy (CSP) header provides a robust and secure method to ensure that only scripts explicitly approved by the server are allowed to run, thereby meeting PCI’s requirement to authorize all scripts on payment pages.
This approach offers a stronger security posture than using unsafe-inline, supports inline scripts with dynamic Handlebars values, and eliminates the need to whitelist individual domains in the CSP.
We recommend beginning the process of tagging and preparing custom scripts as early as possible, so that when the CSP nonce feature becomes available, you can confidently enable it, knowing that all of your custom scripts are authorized and will continue to execute as expected.
While the nonce provides a method to authorize scripts, it cannot ensure the integrity of resources fetched from third-party servers. To verify the integrity of a script that fetches resources from an external server (e.g., <script src="https://example.com/myscript.js"></script>
), you should use Subresource Integrity (SRI) in combination with the nonce. More information on SRI can be found here.
Additional Resources
If you need additional help with implementation or have any questions, please reach out to support.