
























The new PCI-DSS regulations that will come into effect after March 31st, 2025, require merchants to monitor scripts on their payment pages to prevent digital skimming attacks*. The use of Content Security Policy (CSP) is recommended as a free alternative to costly commercial solutions.
*PCI-DSS requires either script monitoring or an alternative solution as confirmed by your payment processor.
Sansec has been tracking the largest 400K stores globally since 2015. Our latest analysis reveals:
Curiously, the hosted (SaaS) platforms Shopify and Squarespace do not use CSP at all for their stores. BigCommerce supports it, but the majority of BigCommerce CSP setups are misconfigured.
These stats show the adoption of CSP for Magento, which is clearly fueled by Adobe pushing CSP usage for Magento 2.4.
CSP can and should be configured to send violation reports to a collecting service, which can escalate anomalies to a store manager. Without reporting, CSP has little value.
This graph shows the percentage of stores that have CSP reporting enabled per platform. OpenCart leads, possibly because it has a built-in CSP reporting tool.
In our research, running a custom monitoring service is the most popular solution, followed by Sansec Watch (free) and Report-URI. Using an external service is recommended, as they can combine data across sites to eliminate noise for you.
If you are not using CSP for your store yet, you should start now. It's free and it's easy to implement when you use an external service.
If you are already using CSP, make sure to enable reporting. Otherwise, you will not be compliant with the new PCI-DSS 4.0 regulations.
If you're running a Magento store without CSP reporting, you're missing a critical security layer. Get started with Sansec Watch (free!) today to protect your customers and ensure PCI-DSS 4.0 compliance.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。