Changelog
Start typing to search…
Back to All
added

PCI DSS 4.x

October 15th, 2024

Your website payment pages must comply with PCI DSS v4.x, which is designed to stop attackers from obtaining cardholder data when processing it in your e-commerce system.

You can meet these requirements in several ways.

  1. Use traditional means, including implementing a Content Security Policy (CSP), using a hash for Sub-resource Integrity (SRI) (now available for the COPYandPAY checkout), and using change detection scans.
  2. Configure monitoring within your content delivery networks (CDNs).
  3. Contract third-party solutions to manage JavaScript security.

Changes to COPYandPAY checkout for PCI DSS 4.x

Add a Content Security Policy (CSP) for the payment page and use change detection scans.

Add the Sub-resource Integrity (SRI) hash every time you create a checkout with the COPYandPAY integration.

  • Add the new parameter of integrity=true when you create a checkout
  • There is a change to the create checkout response, which now includes the integrity hash
{
  "result":{
    "code":"000.200.100",
    "description":"successfully created checkout"
  },
  "buildNumber":"d7f3057c29b9a26d5151336767387bb393720d7e@2024-10-14 09:16:49 +0000",
  "timestamp":"2024-10-15 15:16:31+0000",
  "ndc":"FB76D9A1B7D1CAC70A03923F903F74FB.uat01-vm-tx03",
  "id":"FB76D9A1B7D1CAC70A03923F903F74FB.uat01-vm-tx03",
  "integrity":"sha384-/j1gGQsS/nAgGp9u7LjRlD7nwA3h+yXS5aEP/vbzrbpgPWuRDhCuFok3J8lWVC3X"
}
  • Change to the checkout script
    • Replace {integrity} with the value of integrity
    • For the crossorigin, replace anonymous with the URL of the website that loads the COPYandPAY checkout
<script 
	src="https://eu-test.oppwa.com/v1/paymentWidgets.js?checkoutId={checkoutId}"
	integrity="{integrity}"
	crossorigin="anonymous">
</script>

For full details, see our documentation: integrate using the iframe checkout

SERVER-TO-SERVER integration

With a server-to-server integration, it is your responsibility to establish and maintain compliance with PCI DSS v4.x.

More information

For more details of PCI DSS 4.x, see the gateway documentation and the PCI 4.0.x documentation.