You have 2 weeks left to set up CSP for your store
by Sansec Forensics Team
Published in Threat Research − March 17, 2025
Increasing use of Content Security Policy (CSP) as PCI-DSS 4.0 goes live on April 1st. However, our research shows that most online stores have not enabled CSP reporting - a critical requirement under the new PCI standards.
The new PCI-DSS regulations that will come into effect after March 31st, 2025, require merchants to monitor scripts on their payment pages to prevent digital skimming attacks*. The use of Content Security Policy (CSP) is recommended as a free alternative to costly commercial solutions.
*PCI-DSS requires either script monitoring or an alternative solution as confirmed by your payment processor.
Key findings
Sansec has been tracking the largest 400K stores globally since 2015. Our latest analysis reveals:
- Magento leads adoption: 38% of Magento stores use CSP, far ahead of other platforms
- Reporting gap: While CSP usage goes up, only 13% have reporting enabled - a critical requirement for PCI-DSS 4.0
CSP usage per shopping platform
Curiously, the hosted (SaaS) platforms Shopify and Squarespace do not use CSP at all for their stores. BigCommerce supports it, but the majority of BigCommerce CSP setups are misconfigured.
Magento CSP adoption over time
These stats show the adoption of CSP for Magento, which is clearly fueled by Adobe pushing CSP usage for Magento 2.4.
Use of CSP reporting per platform
CSP can and should be configured to send violation reports to a collecting service, which can escalate anomalies to a store manager. Without reporting, CSP has little value.
This graph shows the percentage of stores that have CSP reporting enabled per platform. OpenCart leads, possibly because it has a built-in CSP reporting tool.
CSP Reporting Solutions
In our research, running a custom monitoring service is the most popular solution, followed by Sansec Watch (free) and Report-URI. Using an external service is recommended, as they can combine data across sites to eliminate noise for you.
What to do?
If you are not using CSP for your store yet, you should start now. It's free and it's easy to implement when you use an external service.
If you are already using CSP, make sure to enable reporting. Otherwise, you will not be compliant with the new PCI-DSS 4.0 regulations.
If you're running a Magento store without CSP reporting, you're missing a critical security layer. Get started with Sansec Watch (free!) today to protect your customers and ensure PCI-DSS 4.0 compliance.
Read more
In this article
Easy CSP for your store?
Try Sansec Watch! Free, simple and fully integrated. Get PCI compliant alerting with minimal effort.
Sansec WatchScan your store now
for malware & vulnerabilities
eComscan is the most thorough security scanner for Magento, Adobe Commerce, Shopware, WooCommerce and many more.
Learn more
