Overview

The Dashboard provides an overview of progress towards 100% compliance, facilitates all PCI DSS 4.0 action items for browser script requirements, and gives you an assessment of your status at a glance.

image.png

From the Dashboard, you can view:

  • The Sensor Heartbeat: This indicates the sensor's status across your domains. If your reports drop drastically, this will update accordingly. If the heartbeat indicates a drop, then you should first confirm your sensor was not removed from the relevant domains or accidentally blocked. If it was not, then contact HUMAN for assistance.
  • The Script Authorization tab: This displays scripts that need your review. Only unauthorized scripts are shown; scripts you've authorized are hidden from this tab, but you can always view them from your Inventory.
  • The HTTP Security Header Authorization tab: This displays HTTP headers that need your review. Only unauthorized HTTP headers are shown; ones that you have authorized are hidden from this tab, but you can always view them from your Inventory.

You can learn about the script and header tabs in the following sections.

Script tab

Each script entry presents important overview information, such as its status and risk level.

"View by"

Scripts can be presented by the payment page on which they were found or their vendor.
image.png

Script summary

Click on a script to open its summary. The script summary contains additional information about the script, such as a vendor description or dates when the script was first seen.

You can also update certain information about the script from the summary.

  • Show authorization history: Click to display the script's audit log, add notes, or authorize the script.
  • Authorization: Click to authorize and justify the script.
  • Progress status: Click to update the script's status.
  • Ownership contacts: Click to assign your team members as owners or contacts for the script.

Justification

Any script in the payment page inventory must possess written justification as to why it is necessary. Code Defender will require a justification the first time a script is ever Authorized. Justification could be updated at any time, but will very rarely change within a script's lifecycle.

Authorization

Every script running on a payment page must be authorized and any change to a script must be authorized. Therefore, "Authorization" is a central and frequent activity expected by PCI DSS 4.0.
There are three ways to authorize scripts:

  1. Authorizing one script at a time
  2. Authorizing multiple scripts at a time (e.g., by manually multi-selecting multiple scripts, or selecting all scripts by a certain vendor at once)
  3. Automating script authorization

Authorization history

Every noteworthy event in the script's lifecycle is presented in this window: first appearance, authorizations, workflow status changes, and behavioral integrity changes/modification (new risky action detected).
image.png

The shortcut menu

Clicking on the three dots to right of script entries will bring up the shortcut menu.
For further in-depth analysis of all script actions, users can click on "Investigate script" to take it into Code Defender's Analyzer section.
image.png

Header tab

HTTP headers can be viewed by the payment page on which they were found, or by the type of security header.
image.png

As with scripts, users can dig into further detail, change authorization status, and view authorization history. In addition, the portal will highlight changes from previously authorized headers (e.g., has an attacker added a malicious domain to the Content Security Policy?)

"Diff" highlighting additions, and striking though removals:
image.png

Authorization history:
image.png