This article explains the additional security steps required when a form includes both (1) a payment field and (2) customer-supplied JavaScript. Customer-supplied or custom JavaScript is any script added by your organization to a form or theme (as opposed to Intellistack-provided scripts).
Security Standards
To protect sensitive cardholder data, industry security standards (specifically PCI DSS v4.0) include controls for JavaScript code running on a page that captures payment information. Some of those controls include ensuring that scripts are authorized, justified, and monitored. These measures are designed to prevent malicious scripts from interfering with your payment forms or compromising customer data.
If your organization adds custom JavaScript to a payment-enabled form, your organization is responsible for reviewing, authorizing, and monitoring that code.
Sources of JavaScript
In Formstack Forms, Intellistack is responsible for theJavaScript that is part of the platform. Your organization may also add custom JavaScript through the Embed Code field or within the Header and Footer of a Theme.
A) The Attestation Workflow - Embed Code Field
When a form contains both a Payment Field and an Embed Code field with JavaScript, the following controls apply:
1. Embed Code Editing Lock
To prevent accidental or unauthorized changes to scripts on payment-enabled forms, the JavaScript editor in the left-hand navigation is locked as read-only. To change the contents of the Embed Code, the user must launch the code editor screen.
2. Mandatory Business Justification
Before you can publish or save changes to a script on a payment-enabled form, you must provide a Business Justification.
- Requirement: Enter a clear reason for the script's use (e.g., "Calculates custom discounts" or "Analytics tracking").
- Recordkeeping: This justification is recorded as part of your organization's security audit trail.
*Note 1: If the user chooses to Cancel this dialogue or closes the page without completing the attestation, the payment fields on the form will be disabled until a valid attestation is recorded.
*Note 2: If the Embed Code including JavaScript was created or edited via the Forms API, it will require a user to log in to the Forms application to complete this attestation. There is no attestation available via the Forms API.
3. Automated Security Notifications
When custom code is authorized on a payment form, an automated email notification is sent to your Forms account owner.
- Details Included: The notification includes the form name, the user who authorized the change, and the business justification.
- Purpose: This alert enables your organization’s security personnel to validate that code on your payment pages is safe and intended.
Note: You should retain this for your compliance records.
B) The Attestation Workflow - Theme
When a form contains both a Payment Field and uses a Theme with JavaScript in either the header or footer, the following controls apply:
1. Editing or Applying a Theme with JavaScript
To prevent accidental or unauthorized changes to scripts within themes used on payment-enabled forms, attestation is required when new JavaScript is added to a theme already used on a payment-enabled form, OR when a theme with JavaScript is applied to a payment-enabled form. In addition, if a theme already has JavaScript in it when payment capability is added to the form, then attestation is required.
2. Mandatory Business Justification
Before you can publish or save changes to a theme with JavaScript used on a payment-enabled form, you must provide a Business Justification.
- Requirement: Enter a clear reason for the script's use (e.g., "Calculates custom discounts" or "Analytics tracking").
- Recordkeeping: This justification is recorded as part of your organization's security audit trail.
*Note 1: If the user chooses to Cancel this dialogue or closes the page without completing the attestation, the payment fields on the form will be disabled until a valid attestation is recorded.
3. Automated Security Notifications
When custom code is authorized on a payment form, an automated email notification is sent to your Forms account owner.
- Details Included: The notification includes the theme name, the user who authorized the change, and the business justification.
- Purpose: This alert enables your organization’s security personnel to validate that code on your payment pages is safe and intended.
Note: You should retain this for your compliance records.
Your Responsibilities
Best practices include:
- Verify Authorization: Confirm the code and the business justification align with your organization’s security policy.
- Regular Review: Periodically confirm that active scripts are still necessary and up to date.
- Incident Response: Immediately disable any script that shows unexpected behavior or is no longer approved.