Starting April 2025, compliance with PCI DSS 4.0.1 will require e-commerce stores to implement a Content Security Policy (CSP) on payment-related pages. This change is intended to enhance security by mitigating risks associated with unauthorized script execution.
To align with these requirements, the Hyvä development team is expanding CSP support across its themes and checkout solutions. Amasty, in its turn, is working to ensure that its Magento 2 modules remain compatible with the latest CSP standards in Hyvä Checkout and Hyvä Theme.
Below we review the essence of CSP requirements for Magento, Hyvä’s compliance efforts, and Amasty’s approach to supporting Hyvä’s CSP implementation in its Magento 2 extensions.
What is Content Security Policy (CSP)
A Content Security Policy (CSP) is a security feature that restricts the sources from which a web page can load content such as scripts, styles, and media. It defines a strict set of allowed sources and prevents certain types of cyberattacks, such as cross-site scripting (XSS) and data injection.
In Magento-based stores, CSP ensures that only explicitly approved external services and scripts can execute on critical pages, such as checkout and payment processing. This is particularly relevant for PCI DSS compliance, as unauthorized scripts on payment pages pose a risk of data interception.
Implementing a strict CSP in Hyvä-powered Magento stores requires modifications to how JavaScript and third-party integrations function. This affects Magento extensions, payment gateways, and analytics tools, making CSP compatibility a major factor in selecting and configuring modules.
Hyvä’s Efforts in Ensuring CSP Compliance
The Hyvä roadmap for 2025 includes full implementation of CSP in strict mode across both storefront and checkout environments. Their short-term objectives focus on:
- Storefront-wide CSP support, ensuring that all frontend elements comply with strict CSP rules.
- CSP for express payment methods, addressing security considerations for third-party payment buttons.
- Checkout CSP implementation, bringing full strict mode CSP support to Hyvä Checkout.
These updates align with PCI DSS 4.0.1 requirements, providing merchants with a secure and compliant foundation for managing customer transactions. Developers working with Hyvä themes or checkout will need to ensure their code follows CSP guidelines, avoiding deprecated methods such as unsafe-inline or unsafe-eval.
Amasty’s Initiatives for CSP Compatibility of Hyvä Extensions
To support merchants using Hyvä, Amasty is updating its Hyvä-compatible Magento 2 modules to comply with Hyvä Checkout CSP requirements. By the end of March 2025, the following modules will be fully compatible:
- Shipping Rules
- Shipping Restrictions
- Shipping Table Rates
- Shipping Suite Pro
- Google Analytics 4 (GA4) (with Hyvä Theme CSP support)
Beyond the initial set of modules, Amasty will continue rolling out CSP compatibility for additional Magento 2 extensions. Our focus will be on:
- Modules with Hyvä Checkout compatibility, ensuring seamless integration with Hyvä’s strict CSP implementation.
- Payment and security-related extensions, which are most directly affected by PCI DSS 4.0.1 compliance requirements.
- Performance and analytics tools, ensuring that tracking and reporting functionalities remain accessible without compromising security.
The goal is to help merchants adopt Hyvä’s strict CSP implementation while maintaining the functionality of their existing extensions. We will provide detailed release notes and technical documentation to assist merchants in implementing CSP-compatible updates.
Wrapping Up
The implementation of CSP on payment pages under PCI DSS 4.0.1 introduces new security requirements for e-commerce. As Hyvä enforces strict CSP standards, merchants must ensure their extensions and integrations comply with these updated guidelines.
Amasty is actively working to support this transition by ensuring its Magento 2 modules are fully compatible with Hyvä Checkout and Hyvä Theme CSP. For merchants using Hyvä, adopting CSP-ready modules will help maintain a secure, PCI-compliant storefront without compromising functionality.
Stay tuned for further updates as we continue expanding support for Hyvä’s CSP framework.
