Overview

The Dashboard provides an overview of progress towards 100% compliance, facilitates all PCI DSS 4.0 action items for browser script requirements, and gives you an assessment of your status at a glance.

image.png

From the Dashboard, you can view:

  • The Sensor Heartbeat: This indicates the sensor's status across your domains. If your reports drop drastically, this will update accordingly. If the heartbeat indicates a drop, then you should first confirm your sensor was not removed from the relevant domains or accidentally blocked. If it was not, then contact HUMAN for assistance.
  • The Script Authorization tab: This displays scripts that need your review. Only unauthorized scripts are shown; scripts you've authorized are hidden from this tab, but you can always view them from your Inventory.
  • The HTTP Security Header Authorization tab: This displays HTTP headers that need your review. Only unauthorized HTTP headers are shown; ones that you have authorized are hidden from this tab, but you can always view them from your Inventory.

You can learn about the script and header tabs in the following sections.

Script tab

Each script entry presents important overview information, such as its status and risk level.

View by

Scripts can be presented by the payment page on which they were found or their vendor.

Script summary

Click on a script to open its summary. The script summary contains additional information about the script, such as a vendor description or dates when the script was first seen.

You can also update certain information about the script from the summary.

  • Show authorization history: Click to display the script's audit log, add notes, or authorize the script.
  • Progress status: Click to update the script's status.
  • Authorization: Click to authorize and justify the script.
  • Ownership contacts: Click to assign your team members as owners or contacts for the script.
  • Script justification: Enter a justification as to why the script is necessary.

Authorization history

Every noteworthy event in the script's lifecycle is presented in this window: first appearance, authorizations, workflow status changes, and behavioral integrity changes/modification (new risky action detected).

Progress status

You can update the progress status of a script by clicking the status and selecting:

  • Change progress status: Lets you move the script to a new status, add a note about the change, and share the script with the available integrations. The available statuses are:
    • To be reviewed (under review): Mark the script as needing review.
    • To be removed: Mark the script for removal.
  • Archive script: Archive the script, which hides it from view and excludes it from calculations such as the total number of scripts in your inventory. You cannot archive scripts if Code Defender detected it within the last 24 hours. Code Defender automatically re-adds archived scripts if it detects it on your application again.

Authorization

Every script running on a payment page or the parent page that embeds a payment page must be authorized, and any behavioral integrity change to a script must be reauthorized. Therefore, "Authorization" is a central and frequent activity expected by PCI DSS 4.

There are three ways to authorize scripts:

  1. Authorizing one script at a time
  2. Authorizing multiple scripts at a time (for example, by manually multi-selecting multiple scripts, or selecting all scripts by a certain vendor at once)
  3. Automating script authorization with a Policy Rule

You can typically provide a script justification as well as authorization. Both are required for a script to change status to “Authorized.”

📘

Note

If you have the PCI Authorizer role, you are only able to Authorize scripts and add an Authorization note, but cannot justify scripts. After you authorize, if justification has not yet been provided, the script will move to the pending justification status for the PCI Justifier role to review. See Role permissions for more information.

Justification

Every script running on a payment page or the parent page that embeds a payment page must possess written justification as to why it is necessary. Code Defender will require a justification the first time a script is ever Authorized. Justification could be updated at any time, but will very rarely change within a script's lifecycle.

📘

Note

If you have the PCI Justifier role, you are only able to add Script justifications and cannot authorize scripts. After you justify, if authorization has not yet been provided, the script will move to the pending authorization status for the PCI Authorizer role to review. See Role permissions for more information.

Header tab

Each header entry presents important overview information, such as its status and risk level.

View by

Headers can be presented by the payment page on which they were found or the headers themselves.

Header summary

Click on a header to open its summary. The header summary contains additional information about the header, such as its new values or when it was last seen.

You can also update certain information about the header from the summary.

  • Show authorization history: Click to display the header’s audit log and add notes.
  • Progress status: Click to update the header’s status.
  • Authorization: Click to authorize the header.
  • Header values: Manage new header values.

Authorization history

Every noteworthy event in the header’s lifecycle is presented in this window: first appearance, authorizations, workflow status changes, and new values.

Progress status

You can update the progress status of a header by clicking the status and selecting:

  • Change progress status: Lets you move the header to a new status, add a note about the change, and share the header with the available integrations. The available statuses are:
    • To be reviewed (under review): Mark the header as needing review.
    • To be removed: Mark the header for removal.
  • Archive header: Archive the header and all of its values, which hides it from view and excludes it from calculations such as the total number of headers in your inventory. You cannot archive a header if Code Defender detected it within the last 24 hours. Code Defender automatically moves archived headers back to the inventory if it detects them on your application again. See Header values to learn how to archive individual header values instead.

Authorization

Similarly to scripts, every header must be authorized and any change to a header or header value must be authorized.

There are three ways to authorize headers:

  1. Authorizing one header at a time
  2. Authorizing multiple headers at a time
  3. Automating header authorization

Header values

You can view and manage individual header values with the tools available per value:

  • Compare header values: Open a new view to compare the selected new header value with any previously authorized header value.
  • Copy: Copy the header value to your device’s clipboard.
  • More options: Additional tools to manage the header value.
    • Archive header value: Archive the header’s value, which hides it from view and excludes it from calculations. You cannot archive a value if Code Defender detected it within the last 24 hours. Code Defender automatically moves archived values back to the inventory and sends a Modified Header alert if it detects the same one on your application again. See Progress status to learn how to archive headers and all of their values instead.