In case you are creating or sustaining a checkout web page you would possibly come throughout PCI DSS v4 which incorporates the next requirement underneath 6.4.3:
All fee web page scripts which are loaded and executed within the client’s browser are managed as follows:
– A technique is applied to verify that every script is allowed.
– A technique is applied to guarantee the integrity of every script.
– A listing of all scripts is maintained with written enterprise or technical justification as to why every is critical.
One option to adjust to this requirement is to make use of a way like Subresource Integrity (SRI). Nevertheless, the Google Pay JavaScript (pay.js) construct and launch course of doesn’t permit for a long-lived, steady hash required by methods like SRI.
Utilizing a sandboxed iframe
Utilizing a sandboxed iframe satisfies any issues with compliance since scripts throughout the iFrame is not going to have entry to the mum or dad DOM. See the next illustration for an instance:
On this case the area “cdn.somewhereelse.com” would load Google Pay’s pay.js JavaScript file. After a profitable transaction, the inside iframe can talk with the mum or dad web page via mechanisms like window.postMessage() if wanted.
To ensure that Google Pay to work in all browsers we’d like the next 4 sandbox attribute values along with permit=”fee”
:
To permit the iframe to execute scripts (pay.js for instance)
Permits the embedded web page to create ‘baby searching contexts’. In follow, this flag allows the embedded iframe to open new tabs and home windows when the consumer clicks a hyperlink.
If not set, fails on varied events for browsers. If set, the iframe has entry to the mother and father storage and cookies.
Permits kinds such because the Google Pay login to submit the information.
See this take a look at web page to see the varied iframe sandbox values in motion.
Shopify efficiently licensed for PCI DSS v4
Google Pay partnered with Shopify to implement the above answer. Shopify was in a position to efficiently go the PCI DSS v4 audit by utilizing a sandboxed iframe to show the Google Pay button. Here’s what Shopify has to say:
We’ve constructed Shopify Checkout in such a manner that Google Pay code executes in a safe sandboxed surroundings, permitting us to keep up the integrity of our checkout and adjust to PCI DSS V4 necessities.
–
Ilya Grigorik, Distinguished Engineer at Shopify
For extra info on how Shopify constructed their checkout answer utilizing sandboxed iframes, their “Powering Shopify’s Excessive-Efficiency, PCI DSS v4 Compliant Checkout with Sandboxing” weblog put up has the insights.
Conclusion
Wrapping your Google Pay integration in a sandboxed iframe will help you to adjust to PCI DSS v4 necessities. For extra help along with your implementation, register to the Google Pay & Pockets Console to create a assist ticket. As well as, you possibly can be a part of the developer group within the #funds channel on Discord.
Observe @GooglePayDevs on X for future updates. When you’ve got questions, tag @GooglePayDevs and embrace #AskGooglePayDevs in your tweets.