Slim CD Developers,

If you are using either Hosted Payment Pages, or Hosted Javascript, this notice affects you!

The PCI DSS v4.0’s Requirement 6.4.3 mandates the use of Subresource Integrity (SRI) to ensure the integrity of scripts on payment pages, along with other changes to Hosted Payment Pages.

This means that each <script src=”…”> should be modified to also include an integrity tag.

Here is a before-and-after example with slimcd.js:

BEFORE:

<script src=https://stats.slimcd.com/soft/json/slimcd.js></script>

AFTER:

<script src=”https://stats.slimcd.com/soft/json/slimcd.js”

integrity=”sha384-1RsaMaZ5+BfB0vYFiJmSPPqY5hvLtsybBCg5bQjJX1X9sFFEvgHgvxn+kbXxzT/g”

crossorigin=”anonymous”></script>

 

Please note that the crossorigin tag is also required.

What is an integrity tag?  It is a HASH of the contents of the file.

Here is more information: https://www.w3schools.com/tags/att_script_integrity.asp

Note that if you are using standard scripts (like JQuery), the CDNs are now providing the integrity tags.  If you have your own JavaScript, then you can generate one using OpenSSL or you can ask ChatGPT to do it for you.  Note that ChatGPT also has information on how to use OpenSSL to generate a tag.  Also note that ChatGPT may need you to upload the JavaScript so it can calculate the hash for you!

Slim CD’s future versions of slimcd.js will include version numbers in the filenames, so that each version can have a unique integrity tag hash.  We’ll be adding a page to developer.slimcd.com that has the latest version, with it’s integrity tag to simplify your coding efforts.

One final comment… Inline JavaScript does NOT support integrity tags.    We do recommend that you place larger bodies of the JavaScript in a file and reference the file via a <script src=”…” so that you can supply the integrity tag.

PCI 4 also mandates that each script is approved and has a business reason and that hosted payment pages are scanned to detect changes to scripts. To address this, we’ve included a feature in our merchant website that will scan your forms and identify if integrity tags are needed.  And, each time you save a form that has scripts, you will be prompted for approval and business reason.  A notification will be sent to the account owner that a script change was made, and to which form the script was changed.

Please let us know if we can be of further assistance.

SLIM CD Developer Support