The PCI DSS 4.0 has been implemented March 31, 2025. We’ve always been compliant with earlier versions and these updates are no exception.
We stay ahead of the curve to ensure your business gets the latest and most robust data protection. These enhancements build on our existing security measures. You can think of them as an extra layer of protection.
What we're implementing
Here’s a quick list of key updates we’re rolling out to stay in line with PCI DSS 4.0.
Tighter script controls
We’re restricting which scripts can run on payment pages, only allowing pre-approved code.
Content security policy (CSP)
We’re setting an approved domain list to ensure only trusted sources can load assets.
Subresource integrity (SRI)
We’re double-checking that our in-built scripts and a number of third-party scripts haven’t been edited or changed.
For a full list of the scripts we check as part of PCI DSS 4.0, check out Script Checks PCI DSS.
Script Inventory
We’re documenting every script used on payment pages so we can quickly spot any unauthorized add-ons.
What you need to do
These enhancements are built on top of our existing security measures and only impact your Members Portal if:
- You’ve customized it and/or embedded external content on your Members Portal
AND
- You upgrade to a Members Portal version above 4.0.8
If that is the case and your Members Portal include images, fonts, or widgets from external sites, you’ll need to add those domains to your CSP header. You can do this in a few clicks via Settings > Security on the Admin panel.
If content or elements get blocked, you’ll see a notice in your browser console. Just add that domain to your CSP header, refresh, and you’re set.
For more information, check out Adding CSP Header Directives.
While our payment processes have always been secure, we’re just tightening them further to match new industry requirements and keep fraudsters at bay.
If you have any questions, our Support team is here to help you navigate these changes so you can continue to focus on what you do best.