eCDN PCI 4.0 Compliance Tools

The eCDN PCI tools leverage Cloudflare Page Shield to help you meet the latest PCI 4.0 requirements. Page Shield provides tools for monitoring and addressing specific client-side security requirements outlined in the PCI DSS v4.0 standards.

While eCDN significantly assists with compliance, you must continue to manage your PCI certification process and ensure you are following all applicable requirements. Configure the PCI Page Shield policies to meet your specific needs.

Page Shield manages scripts loaded by website visitors and triggers alert notifications for security teams when resource changes occur or are flagged as malicious.

Enabling Page Shield:

Adds a Content Security Policy (CSP) deployed with a report-only directive to collect information from the browser. This allows eCDN to provide you with a list of all scripts running on your application and the connections they make to third-party endpoints.
Captures detected scripts for your storefront hostnames, respectively, including infrequent and inactive ones.

Since Page Shield monitoring is based on sampling, there may be a small delay between deploying a script and having this data available in the results.

Page Shield implements different mechanisms to determine if a script, or a connection made by a script, is malicious. These mechanisms include:

Malicious script detection: Page Shield downloads the script file and runs it through a classifier. The classifier is a machine learning (ML) model that can detect malicious operations patterns, such as Magecart-type attacks. Page Shield also provides individual scores from 1 to 99 for different malicious code detections. The score threshold for considering a script as malicious is currently set to 10. If the script classification score is below 10, use the Page Shield getPageShieldScripts endpoint to retrieve the list of malicious scripts.
Malicious URL checks: Page Shield searches threat intelligence feeds for the URLs of your JavaScript dependencies to determine if any of those scripts should be categorized as malicious. We do not alert on the malicious URL checks as it not required for PCI compliance.
Malicious domain checks: Page Shield searches threat feeds for the domains of your client-side JavaScript dependencies to determine if any of those scripts are being served from a known malicious domain. A domain previously reported as malicious can later be reported as non-malicious if, after further analysis, the domain is deemed safe. Page Shield also checks the target domains of connections made by scripts in your domain's pages, following the same approach described for scripts. We do not alert on the malicious URL checks as it not required for PCI compliance

Threat feed updates trigger new checks for previously detected scripts or connections, which means that the Page Shield monitoring always reflects the latest categorization.

You can configure alerts for:

New resources alerts. Receive a notification when new resources are displayed in your storefront requests.
Code change alerts. Receive a notification when JavaScript dependencies change in the pages of your storefront requests.
Malicious script alerts. Receive a notification when Cloudflare detects JavaScript code classified as malicious in a storefront request.

Malicious URL and malicious domain alerts are not included in the alerting and notification via Webhooks because these alerts are not part of the PCI 4.0 requirements.

Policies use Content Security Policy (CSP) directives to define the resources that are allowed on your applications. Policies can log violations and also enforce an allowlist of resources, effectively blocking resources not included in the policies. According to this model, you define what is allowed and reject everything else. This approach helps you reduce the attack surface for unwanted third-party scripts in your application.

Each Page Shield policy performs one of the following actions:

Log: Page Shield logs any resources not covered by the policy, without blocking any resources. Use the Log action to validate a new policy before deploying it. Resources not covered by the policy are reported as policy violations.
Allow: Page Shield blocks any resources not explicitly allowed by the policy. Switch to the Allow action after you validate a new policy using the Log action, so that your policy does not block essential application resources and impact your application's end users. Policies with the Allow action log policy violations for any blocked resources.

You receive an alert when:

A policy is created for the zone using the Allow action.
A new or a changed script or resource is listed in the allowed policy sources.
Page Shield notification is correctly set up for alerts.

You do not receive an alert when:

No configured policies exist in the zone.
A policy is configured with the Log action.
A policy is disabled.

To obtain policy violation information:

Create a Logpush job for your AWS S3 bucket.
- Logpush jobs only retrieve violation logs.
Access policy violation logs in Log Center
- The Log Center contains both audit logs and violation logs.

Audit events for policy additions or modifications are only available in the Log Center.

With Page Shield script monitoring, you can:

Keep track of JavaScript across all pages, including payment-related pages.
Use filters to focus on specific parts of your website, vendors, or dependencies.
Identify and fix script-related issues that could impact website security.
Keep track of all third-party scripts on your website and ensure they are compliant with your policies.
Troubleshoot script-related errors and exceptions.

To set up script monitoring in pages requiring PCI compliance:

Call the CDN Zones API Get page shield scripts endpoint to retrieve the list of scripts and inventory dependencies.

Specify a limit parameter value that does not exceed 200.
Use different query parameters, for example: pageUrl, prioritizeMalicious, status, and urls, to focus on scripts that are running on the pages of interest.
The results are paginated and you can view the pagination-related parameters in the response header.

Use filters to focus on the most important scripts on your website, for example: payment- and cart-related pages.
Set up alerts to notify you of script-related issues. For details, see Set Up Notifications and View Violation Logs.
Regularly review monitoring data to identify trends or patterns.
Work with your development team to fix identified script-related issues.

With Page Shield authorization policies, you can:

Enhance compliance with security standards.
Set appropriate Content Security Policy (CSP) headers, which control the scripts that are allowed to execute on your pages.
Improve security by blocking unauthorized scripts.
Reduce the risk of malicious code execution.

To authorize scripts using policies:

Identify the scripts that are required for the payments page. Using this information, create a Page Shield policy targeting a particular set of pages, for example:
Refer to expression rules and page shield directives to effectively target specific pages and scripts.

To set up Page Shield notifications, set up a webhook endpoint to receive new or modified script notifications from Cloudflare. You can get the zone names by using the CDN API getZonesInfo endpoint. For example:

To delete a webhook:

Access available violation logs in the Log Center or by setting up a eCDN Logpush job to stream the violations to your S3 bucket.

Page Shield policy violation logs are generated when events are received rather than when they occur in the browser. The Firefox browser sends CSP events in real time.

Get Page Shield scripts - Get all scripts matching the specified query parameters. Results are paginated and the script you are interested in might not be in this result. Use the response header pagination information to modify the offsets and scan through different pages. You can use the query parameters to focus on scripts that are meaningful to your payments pages.
Get Page Shield script - Get details of a particular script specified by a script ID.

Get Page Shield policies - Get all Page Shield policies set for a particular zone.
Create Page Shield policy - Create a Page Shield policy for a zone. While creating the Page Shield policies, you can reference fields allowed in the expression. The directives that are set are captured in the values field of the policy. The list of allowed directives and sample usage are captured here.
Get Page Shield policy - Get the specified Page Shield policy for a zone.
Update Page Shield policy - Update the specified Page Shield policy for a zone.
Delete Page Shield policy - Delete the specified Page Shield policy for a zone.

Get Page Shield notification - Get a Page Shield alert notifications.
Put Page Shield notification - Update or Create a Page Shield alert notifications.
Delete Page Shield notification - Delete a Page Shield alert notification.

eCDN Logpush has the job type Create a logpush job for Page Shield, which streams policy violations to a your S3 bucket. Access both violation logs and audit logs in the Log Center.

Defined Requirement	Meeting Defined Requirements	Related Resources
A method is implemented to confirm that each script is authorized.	Deploy policies on payment pages, based on monitored data suggestions, and/or hashes of inline scripts and thirdparty scripts. Create allow policies to define selected JavaScript to run on the payment pages and deny-by-default any JavaScript not explicitly allowed.	Create Page Shield policy Update Page Shield policy
A method is implemented to assure the integrity of each script.	Configuring hash-based policies/directives provides a more effective way for validating script integrity. Reviewing alerts and violation reports based on hashes of inline and third-party scripts. Malicious resource detection is enabled for the your storefront zone and set up an alert for malicious code detection.	Put Page Shield notification
An inventory of all scripts is maintained with written business or technical justification as to why each is necessary.	Get the list of scripts observed in the page using CDN-API and capture the response. You can get the list of scripts through CDN-API periodically and maintain the inventory on your end. The merchant is responsible for script inventory maintenance.	Get Page Shield scripts

Defined Requirement	Guideline on how requirements can be met	Related resources
To alert personnel to unauthorized modification (including indicators of compromise, changes, additions, and deletions) to the HTTP headers and the contents of payment pages as received by the consumer browser.	Using Page Shield notifications for change code alerts, new resource alerts and new malicious script alerts, you can identify and be notified of new scripts/resources that are being loaded to the shopper's browser or are considered malicious. You are responsible for configuring these alerts. You can also monitor the new resources and code changes by configuring Page Shield notifications and policies/ policy violations. Violated resources are blocked by the policy and get reported back in real-time for further review through the dashboard. Use Logpush to send these violation logs to your S3 buckets or view them in the Log Center. Allowed resources are constantly being checked by Cloudflare for changes and malicious behaviors. You can configure these alerts through CDN-API highlighted on the right.	Set Up Page Shield notification Access policy violations logs in Log Center
The mechanism functions are performed as follows: At least once every seven days OR Periodically (at the frequency defined in the entity’s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1).	Violation reports of deployed Policy can be viewed in Logcenter or can be obtained by configuring a logpush job to get in your S3 bucket.	Create a Logpush job for your AWS S3 bucket. Access policy violation logs in Log Center

You can set a maximum of 5 policies for a particular zone. This is sufficient to configure your policies for PCI compliance.
You can set a maximum of 5 notifications for a particular realm.
Get page shield scripts retrieves a maximum of 200 scripts at a time. Use the offset query parameter to view additional results, and use other query parameters to limit the scope search to specific payment paths.
Log Center logs are retained for 14 days.
Page Shield monitoring is based on sampling. There might be a small delay between deploying a script and displaying it in the scripts/logs. It is also dependent on browser behavior for script and violation reporting.

How do merchants use eCDN to achieve PCI 3.x compliance?

eCDN helps merchants meet PCI DSS 2.0 and 3.0 requirement 6.6 through its Web Application Firewall (WAF). Additionally, eCDN supports the latest TLS encryption version, which is crucial for PCI compliance.

How do I get a complete list of the payment page scripts that are loaded and executed in the shopper's browser?

You can obtain detailed information about the third-party scripts loaded on your domain's pages by using the CDN Zones API endpoint. For PCI compliance, you can filter the page URL and list scripts that are loaded for your payment pages.

Which alerts do the PCI webhook notifications contain?

Webhook notification types for PCI 4.0 are preconfigured and cannot be modified or customized. The included alerts are:
- New Code Change Detection Alert: Get notified when the code of a JavaScript file loaded by your users has changed.
- New Malicious Script Alert: Get notified when a JavaScript file loaded by your users is classified as malicious.
- New Resources Alert: Get notified when your users load a new resource that has not previously been seen.

Can I get webhook notifications without creating a Page Shield Policy?

No, a Page Shield policy is necessary in each proxy/legacy zone to receive alerts for script changes, additions, or malicious script detections. For zones with Policies configured, you do not receive notifications for resources blocked by an allow policy. You can review these policy violation logs in the Log Center using Logpush.

Do the PCI 4.0 tools work in both legacy and proxy Zones?

Yes, The CDN ZONES API endpoints enable PCI policy, notifications, and log configurability in both legacy and proxy zones. Migrating to a proxy zone is recommended and is required for Hyperforce enablement.