As we continue to expand and improve our offering, one particular area of focus over recent months has been on PCI DSS Compliance. Whilst 'compliance' might not be the first thing that many get excited about, the recent requirements introduced by the PCI SSC required some pretty solid controls to be introduced around JavaScript running on payment pages. As part of our efforts to make it as easy as possible to implement these controls, we're announcing the launch of Policy Watch.
PCI DSS Compliance
For those that may not be familiar, I will provide some quick background information on PCI DSS here, but if you are already familiar, you can skip to the next paragraph.
I first talked about the new requirements back in 2022 with PCI DSS 4.0; It's time to get serious on Magecart, and whilst I wasn't overly happy about it, the council relaxed the requirements in 2024 and I covered that in PCI DSS 4.0.1; What's Changed?. The TLDR; is that we can no longer have the Wild West of JavaScript running on our payment pages and site operators had to introduce a mechanism to have some oversight and auditing capabilities of what code was running on our pages, a reasonable proposition!
Report URI joined the PCI SSC as an APO, and we dedicated resources to ensuring that our long-standing products that provide web application security would align well with the new requirements and help website operators meet those requirements with ease. As one of the final steps in that journey, and as promised, we're now announcing the General Availability of Policy Watch!
Policy Watch
Existing users of our service will already be very familiar with our 'Watch' product family, including Script Watch, Data Watch, and Frame Watch. These products will monitor your CSP telemetry stream and look for new activity on your site in their respective areas of interest which are JavaScript dependencies, data egress destinations, and iFrames, respectively. If new behaviour is detected in these areas, you will receive a notification so that you can investigate if necessary.
Policy Watch is an evolution of this product line, but rather than analysing your telemetry stream for new dependencies or behaviour on your page, it's analysing the Content Security Policy that you delivered with the page. Of course, a Content Security Policy can only be effective if it is present, and, detecting any changes to your policy could indicate tampering that is indicative of a bigger problem.
It's all in the telemetry
When something on your website violates your CSP, a 'CSP Violation Report' is sent to us by the browser, and that's the basis for how our service works. One of the great things about these telemetry items is that they always contain a copy of the original CSP that you delivered along with the page. Here's the raw JSON payload that we receive from a browser for a violation on my CSP demo page here on my blog:
{
"csp-report": {
"document-uri": "https://scotthelme.co.uk/csp-demo/",
"effective-directive": "script-src-elem",
"original-policy": "default-src 'self'; *snip for brevity*; report-to default",
"blocked-uri": "https://evil.com/keylogger.js",
"status-code": 200
}
}I've snipped my original policy just to save space in the demonstration, but the key point is that the original-policy contains a copy of the CSP header that you sent along with the page so you can know what the browser was working with. This is what gives us our reference to monitor the policy that you're delivering, and allows us to notify you when the policy that you're delivering has changed.
Tracking changes
Along with being able to track changes to your policy, both in the forms of additions, deletions, or modifications, we can also map the original policy back to a CSP that you're managing on our platform in the My Policies section too. Here's the CSP I'm delivering across my site being monitored for the duration of time that I've had Policy Watch enabled, which is almost a month now.
If we were to observe inbound telemetry that had a different policy to this one, then it would be identified and I'd be notified via email of the change. If that change was something I was expecting to see, then all is well, and if not, it might be time for me to investigate!
Try it out now!
Policy Watch is now live and available for anyone to use who has it available with their plan. The great news is that it requires absolutely no additional configuration or any changes to your site if you already have CSP set up, you can simply go and enable Policy Watch right now!
You simply provide the domain name for the site you want to monitor, and Policy Watch will immediately begin analysing your telemetry to establish what policy is present, and then monitor for changes to it going forwards.
Annotating your CSP
Another requirement introduced in the PCI DSS v4.0 changes was that site operators now need to have a 'written business or technical justification' for each script that they have on payment pages. This is a really sensible requirement and the goal is pretty clearly to ensure site operators keep track of what scripts they have and why, so that, ultimately, we can ensure that only scripts we really need are present, and redundant scripts can be removed.
To make this much easier to manage for our customers, and to simplify the process of providing this evidence to an auditor, you can now store this written justification with us if you manage your CSP through our My Policies section. If you were to have a CSP managed with us, it would look a little something like this, and there is an option to 'Describe' what each item in your CSP is.
When clicking the Describe button, you can then enter a description for each individual item in your CSP to understand what it is, and why it is necessary, satisfying the PCI DSS requirements.
Further to this, there is also an option to export a PCI DSS Inventory report that you could then provide to an auditor to demonstrate that you have created and stored the necessary written justifications for each item in your policy.
Making compliance easier
With these features now generally available to all customers on a suitable plan, it hasn't been easier than it is right now to ensure compliance with all of the 6.4.3 and 11.6.1 requirements. If you need any support with the above features then you can reach out to your account contact and we'd be happy to help. If you're not an existing customer and you'd like to be, please reach out to us using the contact information on our site.