Sansec logo

You have 2 weeks left to set up CSP for your store

Sansec

by Sansec Forensics Team

Published in Threat Research − March 17, 2025

Increasing use of Content Security Policy (CSP) as PCI-DSS 4.0 goes live on April 1st. However, our research shows that most online stores have not enabled CSP reporting - a critical requirement under the new PCI standards.

You have 2 weeks left to set up CSP for your store

The new PCI-DSS regulations that will come into effect after March 31st, 2025, require merchants to monitor scripts on their payment pages to prevent digital skimming attacks*. The use of Content Security Policy (CSP) is recommended as a free alternative to costly commercial solutions.

*PCI-DSS requires either script monitoring or an alternative solution as confirmed by your payment processor.

Key findings

Sansec has been tracking the largest 400K stores globally since 2015. Our latest analysis reveals:

  • Magento leads adoption: 38% of Magento stores use CSP, far ahead of other platforms
  • Reporting gap: While CSP usage goes up, only 13% have reporting enabled - a critical requirement for PCI-DSS 4.0

CSP usage per shopping platform

Curiously, the hosted (SaaS) platforms Shopify and Squarespace do not use CSP at all for their stores. BigCommerce supports it, but the majority of BigCommerce CSP setups are misconfigured.

Magento CSP adoption over time

These stats show the adoption of CSP for Magento, which is clearly fueled by Adobe pushing CSP usage for Magento 2.4.

Use of CSP reporting per platform

CSP can and should be configured to send violation reports to a collecting service, which can escalate anomalies to a store manager. Without reporting, CSP has little value.

This graph shows the percentage of stores that have CSP reporting enabled per platform. OpenCart leads, possibly because it has a built-in CSP reporting tool.

CSP Reporting Solutions

In our research, running a custom monitoring service is the most popular solution, followed by Sansec Watch (free) and Report-URI. Using an external service is recommended, as they can combine data across sites to eliminate noise for you.

What to do?

If you are not using CSP for your store yet, you should start now. It's free and it's easy to implement when you use an external service.

If you are already using CSP, make sure to enable reporting. Otherwise, you will not be compliant with the new PCI-DSS 4.0 regulations.

If you're running a Magento store without CSP reporting, you're missing a critical security layer. Get started with Sansec Watch (free!) today to protect your customers and ensure PCI-DSS 4.0 compliance.

Read more

Scan your store now
for malware & vulnerabilities

$ curl ecomscan.com | sh

eComscan is the most thorough security scanner for Magento, Adobe Commerce, Shopware, WooCommerce and many more.

Stay up to date with the latest eCommerce attacks

Sansec logo

experts in eCommerce security

Terms & Conditions
Privacy & Cookie Policy