One advantage of using a third-party payment provider, such as Stripe, is that they fulfil the standards required by the Payment Card Industry to take payments online. However, a new version of these standards makes some significant requirements of web pages that host card payment forms. You will need to abide by to continue to take card payments. Neither Cameo nor Stripe can do this for you! It is a requirement of your website.

Contents

Background

PCI DSS version v4.0 introduces new requirements for card payment pages. Currently, these are recommendations, but will become mandatory in March 2025. Stripe handles many requirements for us. However, some directly apply to pages in your own website that embeds payment forms (like Stripe within Cameo).

The new requirements mostly restrict and govern JavaScript that a page can include. This arises because of a number of high profile cases (such as British Airways). Thieves injected malicious code injected into payment pages. That code stole the card details as customers entered them. The industry has named this kind of attack as Magecart.

Requirements

The details are rather technical. Your payment pages will need to:

  • limit JavaScript only to the minimum necessary to take payments (it isn’t clear to me whether you could even have a hamburger menu on the page, as that JavaScript usually operates);
  • include something called a content security policy, supplied by your server, which itemises where JavaScript can come from and data supplied to a web page can transmit to;
  • verify a third-party has not changed the included JavaScript (using something like a digital signature known as a hash; usually JavaScript that you supply is not vulnerable to that kind of hijack – though in principle it could be infected when you initially install it. It mostly refers to code sourced directly from a third-party server – a content delivery network).

While both Cameo and Stripe can, and do, help to isolate the payment part from the rest of the page, these requirements are something that applies to your website, not Cameo or Stripe. Therefore, they are something you will have to accommodate over the next couple of years to continue to take card payments.

Another way to approach the problem may be to isolate the payment pages in their own little web site. Cameo could, perhaps, provided that, rather like we transfer to GoCardless now for them to take details. That moves the responsibility there, away from your own site. The cost is a less integrated and more clumsy solution.

So currently, this is just an alert that you will need to take action on your website before long to continue to take card payments.