← Back to Baseline

MB-R087

Payment page script inventory maintained

C12 Third‑party Config Security High

Every script loaded on payment pages should be inventoried with its source, owner, business justification, and authorization status. Untracked third-party scripts are a major source of Magecart-style compromise. Enumerate checkout layout XML, templates, CMS blocks, CSP whitelists, and rendered payment pages to build an auditable script inventory.

Why it Matters

Checkout scripts can read or influence payment-page behavior. Unknown scripts loaded on checkout create risk of payment skimming, data leakage, broken CSP rules, and uncontrolled third-party changes.

A maintained script inventory gives teams a reviewable list of what runs on payment pages, why it is needed, who owns it, and whether it is approved.

Verification Steps

Checkout script capture

# Open checkout and list loaded script sources in browser DevTools
# Compare domains and files against the approved script inventory

Code/config review

grep -RIE "<script|requirejs-config|x-magento-init" app/code app/design 2>/dev/null

Remediation / Fix Guidance

  1. Create an inventory of checkout/payment-page scripts with owner, purpose, domain, and approval status.
  2. Remove scripts that are not needed on checkout.
  3. Review third-party tags loaded through tag managers.
  4. Require approval before adding checkout scripts.
  5. Keep inventory evidence with PCI readiness documentation.

Examples

Fail Example
Checkout loads analytics, chat, A/B testing, and unknown CDN scripts with no owner record.
# No inventory → FAIL
Pass Example
checkout-scripts.md lists gateway SDK, fraud tool, owner, source URL, and approval date.
# Inventory maintained → PASS

References