After April 2025, PCI DSS compliance requires a Content Security Policy (CSP) to be implemented on payment-related pages.
Hyvä will help you prepare for this change and be ready in time.
CSP is an acronym for “Content Security Policy”. Without going into details, it’s one of the many things developers do to make a website secure.
What is new, is that starting 31. March 2025, implementing it on payment-related pages will be a requirement in order to be PCI CSS 4.0.1 compliant.
The document defining the standard is 397 pages, but the probably most relevant section in regards to CSP is:
- 6.4.3 All payment page scripts that are loaded and executed in the consumer’s browser are managed as follows:
- A method is implemented to confirm that each script is authorized.
- A method is implemented to assure the integrity of each script.
- 1 full stack developer
- 3 backend developers
- An inventory of all scripts is maintained with written business or technical justification as to why each is necessary
The first two requirements are covered by CSP.
And in case you were wondering, the third requirement in the paragraph above, the “inventory of scripts”, will also be prepared by Hyvä. Extension vendors can add their own scripts, so your developers will only need to list their own custom scripts.
In order to allow the vendors in the Hyvä Ecosystem to prepare for this upcoming change, we will release a version of Hyvä that is compatible with CSP.
Agencies, extension vendors and in-house teams will have plenty of time to make the required changes, test them, and be PCI compliant pro-actively before the deadline.
Updating an existing theme to be CSP-compliant will require some changes. However, Hyvä is striving to make them as quick and easy as possible, and all steps will be fully documented.
Until April 2025 the non-CSP compatible Hyvä theme will continue to be updated in parallel with the CSP compatible release.
Magento & CSP
For a technical overview, watch our update in our Magento & CSP webinar with Yireo:
This webinar provided a comprehensive overview of the Content Security Policy (CSP) and its importance in securing Magento websites from cross-site scripting (XSS) attacks. CSP helps restrict the resources a web page can load, thereby preventing malicious scripts from being executed.
Magento introduced CSP to enhance security, particularly in version 2.4.7, where stricter policies were enforced on payment pages. The webinar discussed the complexities of implementing CSP, including the challenges with inline scripts, unsafe eval, and handling large HTTP headers.