Maintain an always-current inventory of scripts, origins, and integrity hashes per payment page built from real traffic and ready for assessments.
Setup: add report-sha256 (or report-sha384/report-sha512) and register your payment page URLs.
Turn “prove what scripts run on our payment page” into a repeatable workflow inventory, history, and review-ready evidence.
Stop chasing teams and vendors. The inventory is maintained automatically from real browser signals.
Spot unexpected scripts, new origins, and hash changes on sensitive pages before they become findings.
Per-page views make it easy to show what runs where, with context and timelines.
“We could finally answer: which scripts run on the payment page, and what changed?”
PCI DSS 6.4.3
Aligned with PCI DSS payment page expectations
Register sensitive URLs, collect integrity reports, and keep a per-page script inventory with hashes and change visibility.
Add the exact URLs you care about (checkout, payment, account) so monitoring stays focused.
Browsers send integrity reports as users load those pages. CentralCSP attributes scripts to the right page.
See scripts, origins, URLs, and hashes for each payment page with clear “last seen” signals.
Use history to identify new scripts/origins and demonstrate a managed change process.
At Central we regularly map the fingerprints of the most common JavaScript libraries with around 5 million known fingerprints in our database. From each script loaded on your page we identify the underlying technology and any associated CVEs, so you can see at a glance which libraries are in use and which carry known vulnerabilities.
For every CVE discovered on your loaded scripts, CentralCSP shows the severity, a clear explanation of the vulnerability, and a direct link to the advisory so you can assess risk and plan remediation. No more hunting for details each finding is actionable from the dashboard.
Technical call-out
Minimal example to start collecting integrity reports for payment page monitoring.
Replace <your-endpoint> with your CentralCSP reporting endpoint.
Content-Security-Policy:
default-src 'self';
script-src 'self' 'report-sha256';
report-uri https://report.centralcsp.com/<your-endpoint>;Connect CSP reporting, enable hash reporting, and start attributing scripts to payment pages.
Point your CSP reporting to CentralCSP.
Add one report-sha* directive under script-src.
Add payment page URLs so reports are grouped per page.
Side-by-side: manual evidence gathering vs. observed data and per-page attribution.
| Metric | Manual / Legacy process | CentralCSP PCI DSS Monitoring |
|---|---|---|
| Speed | Slow. Track down owners, vendors, and deployments before every assessment. | Continuous. Evidence updates as pages load in real traffic. |
| Accuracy | Drifts quickly. Easy to miss dynamic loaders and injected scripts. | Observed. Inventory reflects what actually ran on the page. |
| Visibility | Hard to connect scripts to specific payment pages over time. | Per-page views. Scripts, origins, hashes, and last-seen signals. |
| Effort | High recurring overhead and spreadsheet maintenance. | Low ongoing overhead with audit-ready views. |
Everything you need to know about PCI DSS payment page monitoring
Explore our comprehensive suite of tools designed to help you manage and optimize your Content Security Policy.
Monitor and analyze Content-Security-Policy violations in real-time
Automatically generate a tight policy for your website, based on your website's content.
Monitor all the scripts loaded on your website, their integrity hashes and known CVEs.
Monitor your payment pages for PCI DSS v4.0 compliance.
Get alerted on your favorite channels when a specific event occurs.
Connect CSP reporting, register your payment pages, and build audit-ready evidence for PCI DSS 6.4.3.