Leaving slide mode.

PCIv4 Implemenatation

westin.wrzesinski@shopify.com

TPAC 2024
Anaheim CA, USA
hybrid meeting
23–27 SEPTEMBER 2024

Introduction

PCI v4 Synopsis

PCI v4 goes into effect on March 31st 2025. This next major version of PCI adds numerous new controls to protect cardholder data from scripts included on the payment page.

Brief introduction to PCI v4

Requirement 6.4.3

Desciption Implementation Browser Support
Script Authorization Content Security Policy (CSP)
script-src
  • All major browsers
Script Integrity Subresource Integrity (SRI)
Script Tags
  • All major browsers
Import Maps
  • Chrome 127+
  • Safari 18+

Details for major requirements

Requirement 11.6.1

Desciption Implementation Browser Support
Detect and respond to unauthorized changes on the Payment Page including headers and content CSP Reports All Major Browsers

Details for major requirements

Use Case: Import Maps

Import Maps provide a mechanism to control how the browser resolved module specifiers when importing JavaScript modules which has many benefits to anyone using modules in production

Not all browser support integrity metadata set on import maps

Use Case scenario, web app uses modern javascript features and loses ability to apply SRI

Example: Import Maps

        
        
<script type="importmap">
  {
    "imports": {
      "emailform": "https://cdn.dev/emailform@1.10.7",
      "shippingform": "https://cdn.dev/shippingform@1.10.7"
    }
  }
</script>
<script type="module">
  import emailform from "emailform";
  import shippingform from "shippingform";

  emailform.render("#contact");
  shippingform.render("#shipping");
</script>

Example of import map

Solution: Complete support of SRI in import maps

This feature is not yet supported in all major browsers and was introduced in June of 2024 so pending browser support strategy may not be feasible to use import maps with SRI by March 2025

`integrity` in import maps has begun rolling out but is not fully support across all major browsers. This enables modern ESM features

Use Case: Dynamic Subresources

sequence diagrams of dynamic scripts not using sri added to parent page No browser support to require SRI

Many third party scripts dynamically fetch additional javascript assets which can not be guaranteed to have SRI

Potential Solution: Revive require-sri-for

require-sri-for is currently not active or supported but would allow enforcement of SRI prescense on script assets throughout the page lifecycle

require-sri-for is currently not active or supported but would allow enforcement of SRI prescense on javacsript assets added at runtime

Use Case: Third Party Evergreen SDKs

Payment Pages rely on Wallet or Pixel pages from third party vendors. Many of the most popular of which are evergreen versioned. This allows patches to be applied without coordination. This however will not play nice with SRI.

SRI can not be provided or requires complex coordination

Payment Pages rely on Wallet and Pixel SDKs which are predominately third party and evergreen for security patches

Potential Solutions: Third Party Evergreen SDKs

  1. Sandbox in iFrames
  2. Request vendors to versions assets and coordinate with consumers for updates
    3. Represent architectural changes, inability to implement quick patches, and complex cordination

Payment Pages rely on Wallet and Pixel SDKs which are predominately third party and evergreen for security patches

Open Questions

  1. Will vendors rearchitect with static versions for SRI?
  2. How can vendors coordinate release of SRI securely across consumers?
  3. When will all major browsers support SRI in import maps?
  4. Will require-sri-for be adopted before March 2025?

we still lack an overall clear path

References

Useful links

Thank you

fin