In case you are growing or sustaining a checkout web page you would possibly come throughout PCI DSS v4 which incorporates the next requirement underneath 6.4.3:
All cost web page scripts which can be loaded and executed within the client’s browser are managed as follows:
– A technique is applied to verify that every script is allowed.
– A technique is applied to guarantee the integrity of every script.
– A listing of all scripts is maintained with written enterprise or technical justification as to why every is important.
One strategy to adjust to this requirement is to make use of a way like Subresource Integrity (SRI). Nevertheless, the Google Pay JavaScript (pay.js) construct and launch course of doesn’t permit for a long-lived, secure hash required by strategies like SRI.
Utilizing a sandboxed iframe
Utilizing a sandboxed iframe satisfies any issues with compliance since scripts inside the iFrame won’t have entry to the father or mother DOM. See the next illustration for an instance:
On this case the area “cdn.somewhereelse.com” would load Google Pay’s pay.js JavaScript file. After a profitable transaction, the interior iframe can talk with the father or mother web page by mechanisms like window.postMessage() if wanted.
To ensure that Google Pay to work in all browsers we want the next 4 sandbox attribute values along with permit=”cost”:
To permit the iframe to execute scripts (pay.js for instance)
Permits the embedded web page to create ‘baby looking contexts’. In follow, this flag allows the embedded iframe to open new tabs and home windows when the consumer clicks a hyperlink.
If not set, fails on numerous events for browsers. If set, the iframe has entry to the mother and father storage and cookies.
Permits varieties such because the Google Pay login to submit the info.
See this check web page to see the assorted iframe sandbox values in motion.
Shopify efficiently licensed for PCI DSS v4
Google Pay partnered with Shopify to implement the above resolution. Shopify was in a position to efficiently cross the PCI DSS v4 audit through the use of a sandboxed iframe to show the Google Pay button. Here’s what Shopify has to say:
We’ve constructed Shopify Checkout in such a approach that Google Pay code executes in a safe sandboxed surroundings, permitting us to take care of the integrity of our checkout and adjust to PCI DSS V4 necessities.
–
Ilya Grigorik, Distinguished Engineer at Shopify
For extra info on how Shopify constructed their checkout resolution utilizing sandboxed iframes, their “Powering Shopify’s Excessive-Efficiency, PCI DSS v4 Compliant Checkout with Sandboxing” weblog put up has the insights.
Conclusion
Wrapping your Google Pay integration in a sandboxed iframe may also help you to adjust to PCI DSS v4 necessities. For extra help along with your implementation, register to the Google Pay & Pockets Console to create a help ticket. As well as, you may be part of the developer group within the #funds channel on Discord.
Observe @GooglePayDevs on X for future updates. You probably have questions, tag @GooglePayDevs and embrace #AskGooglePayDevs in your tweets.
