Monitor scripts on payment pages for PCI DSS 6.4.3
Maintain an always-current inventory of scripts, origins, and integrity hashes per payment page built from real traffic and ready for assessments.
Setup: add report-sha256 (or report-sha384/report-sha512) and register your payment page URLs.
Evidence without spreadsheets.
Turn “prove what scripts run on our payment page” into a repeatable workflow inventory, history, and review-ready evidence.
Efficiency
Stop chasing teams and vendors. The inventory is maintained automatically from real browser signals.
Risk
Spot unexpected scripts, new origins, and hash changes on sensitive pages before they become findings.
Audit readiness
Per-page views make it easy to show what runs where, with context and timelines.
“We could finally answer: which scripts run on the payment page, and what changed?”
PCI DSS 6.4.3
Aligned with PCI DSS payment page expectations
How it works
Register sensitive URLs, collect integrity reports, and keep a per-page script inventory with hashes and change visibility.
- 1
Register payment pages
Add the exact URLs you care about (checkout, payment, account) so monitoring stays focused.
- 2
Collect real browser evidence
Browsers send integrity reports as users load those pages. CentralCSP attributes scripts to the right page.
- 3
Review per-page inventory
See scripts, origins, URLs, and hashes for each payment page with clear “last seen” signals.
- 4
Track changes over time
Use history to identify new scripts/origins and demonstrate a managed change process.
Technical call-out
Minimal example to start collecting integrity reports for payment page monitoring.
Replace <your-endpoint> with your CentralCSP reporting endpoint.
Content-Security-Policy:
default-src 'self';
script-src 'self' 'report-sha256';
report-uri https://report.centralcsp.com/<your-endpoint>;Up and running in minutes.
Connect CSP reporting, enable hash reporting, and start attributing scripts to payment pages.
- 1
Connect
Point your CSP reporting to CentralCSP.
- 2
Enable hashes
Add one report-sha* directive under script-src.
- 3
Register pages
Add payment page URLs so reports are grouped per page.
How PCI DSS monitoring compares to the "Old Way"
Side-by-side: manual evidence gathering vs. observed data and per-page attribution.
| Metric | Manual / Legacy process | CentralCSP PCI DSS Monitoring |
|---|---|---|
| Speed | Slow. Track down owners, vendors, and deployments before every assessment. | Continuous. Evidence updates as pages load in real traffic. |
| Accuracy | Drifts quickly. Easy to miss dynamic loaders and injected scripts. | Observed. Inventory reflects what actually ran on the page. |
| Visibility | Hard to connect scripts to specific payment pages over time. | Per-page views. Scripts, origins, hashes, and last-seen signals. |
| Effort | High recurring overhead and spreadsheet maintenance. | Low ongoing overhead with audit-ready views. |
Frequently Asked Questions
Everything you need to know about PCI DSS payment page monitoring
Additional Tools
Explore our comprehensive suite of tools designed to help you manage and optimize your Content Security Policy.
Monitor and analyze Content-Security-Policy violations in real-time
Automatically generate a tight policy for your website, based on your website's content.
Monitor all the scripts loaded on your website, their integrity hashes and known CVEs.
Monitor your payment pages for PCI DSS v4.0 compliance.
Get alerted on your favorite channels when a specific event occurs.
Ready to monitor payment pages?
Connect CSP reporting, register your payment pages, and build audit-ready evidence for PCI DSS 6.4.3.