Setting up PCI DSS dashboard

The PCI DSS dashboard is available on all plans.

Overview

The PCI DSS dashboard helps you monitor and manage client-side scripts on your payment pages. There are two main setup options depending on your payment implementation:

PCI DSS dashboard setup options

1. Page Setup

Use this option if your payment pages are:

  • Server-side rendered (SSR)
  • Loaded through a page reload/navigation
  • Isolated from scripts present during client-side navigation

This setup filters the script list to only show scripts present on designated payment pages.

2. Modal Setup

Use this option if your payment forms are implemented through:

  • Modal windows
  • Popup widgets
  • Paywall overlays
  • Any dynamic UI where payments can be processed on multiple pages

This setup monitors scripts across your entire application since payment forms can appear on any page.

Configuration

Page Setup

You can configure multiple payment page URLs using the URL Pattern API.

Example pattern:

beverage.ltd/*orderID/checkout/payment

Configure using a CSS selector that identifies your payment modal/form.

Example selector:

#pay

The dashboard will display all scripts that could potentially interact with the payment form when it's active.

PCI DSS Requirement 11.6.1

To meet PCI DSS requirement 11.6.1, cside monitors all 14 security-impacting headers when visitors access your payment pages. This helps ensure your security headers are properly configured and maintained to protect payment data.

The following security headers are monitored:

  • Content Security Policy
  • Content Security Policy Report Only
  • Report To
  • Reporting Endpoints
  • Strict Transport Security
  • X-Frame-Options
  • Cross-Origin Resource Policy
  • Cross-Origin Opener Policy
  • Cross-Origin Embedder Policy
  • Permissions Policy
  • X-Content-Type-Options
  • X-Permitted-Cross-Domain-Policies
  • Referrer Policy
  • X-XSS-Protection

Header changes are included in your weekly PCI DSS report. Reports must be sent at least weekly to meet compliance requirements. The reports are also available on demand in the reports tab under the PCI DSS view. Soon, you can opt in to receive notifications when header changes are detected in real time.

Security headers are typically static for most websites. However, some web proxies inject headers during sampling, which may result in noisy reporting.

If your payment pages are behind a VPN or in a locked-down environment, we can provide a static IP address to enable header checks.

Previous

Domains owned by cside

Next

Testing cside on staging Environments

On this page

Overview1. Page Setup2. Modal SetupConfigurationPage SetupModal SetupPCI DSS Requirement 11.6.1