Dashboard

Overview

The Dashboard provides an overview of progress towards 100% compliance and facilitates all PCI DSS 4.0 action items for browser script requirements.

Similar in concept to an email inbox, the list will present only scripts and headers that require users’ attention, because they’re “unreviewed” ("New" or "Modified") or “In progress” ("Under review" or "To be removed"). Authorized scripts and headers are hidden, as they require no further attention. However, they could always be found in the Inventory section.

Scripts and headers are separated into two separate tabs.

Script tab

Each script entry presents important overview information, such as its status and risk level.

"View by"
Scripts can be presented by the payment page on which they were found or their vendor.

Script summary
Clicking on a script will open the script summary window, containing additional important information about the script (e.g., vendor description and dates when the script was first). Users can click "Authorization" to authorize and justify the script, the drop-down by the script's status to move to "In progress," or "Show authorization history."

Justification
Any script in the payment page inventory must possess written justification as to why it is necessary. Code Defender will require a justification the first time a script is ever Authorized. Justification could be updated at any time, but will very rarely change within a script's lifecycle.

Authorization
Every script running on a payment page must be authorized and any change to a script must be authorized. Therefore, "Authorization" is a central and frequent activity expected by PCI DSS 4.0.
There are three ways to authorize scripts:

1. Authorizing one script at a time
2. Authorizing multiple scripts at a time (e.g., by manually multi-selecting multiple scripts, or selecting all scripts by a certain vendor at once)
3. Automating script authorization

Authorization history
Every noteworthy event in the script's lifecycle is presented in this window: first appearance, authorizations, workflow status changes, and behavioral integrity changes/modification (new risky action detected).

The shortcut menu
Clicking on the three dots to right of script entries will bring up the shortcut menu.
For further in-depth analysis of all script actions, users can click on "Investigate script" to take it into Code Defender's Analyzer section.

Header tab

HTTP headers can be viewed by the payment page on which they were found, or by the type of security header.

As with scripts, users can dig into further detail, change authorization status, and view authorization history. In addition, the portal will highlight changes from previously authorized headers (e.g., has an attacker added a malicious domain to the Content Security Policy?)

"Diff" highlighting additions, and striking though removals:

Authorization history: