Fintech Website Security & Compliance: PCI DSS, HSTS, and Magecart Prevention
Fintech security is non-negotiable: financial websites handle payment card data, bank account credentials, and personally identifiable information that attackers monetize within hours of a breach. Beyond the direct financial losses, a security incident in fintech triggers regulatory investigations, PCI DSS penalties, and the kind of press coverage that ends companies. This guide covers the full technical stack required to secure a financial website in 2026.
Scan your site in 60 seconds — it's free: ZeriFlow →
PCI DSS 4.0: What Changed and What It Means for Fintech
PCI DSS 4.0 became mandatory on March 31, 2025 (version 3.2.1 was retired). The new version introduced several requirements that directly affect web security configuration:
Requirement 6.4.3 — Script management for payment pages All JavaScript loaded on payment pages must be: - Explicitly authorized (inventory of all scripts) - Integrity-verified (Subresource Integrity hash or equivalent) - Monitored for unauthorized modification
This requirement is a direct response to Magecart attacks — JavaScript skimming attacks that inject malicious code into payment pages to steal card data client-side. A CSP with SRI hashes is the technical implementation of this requirement.
Requirement 12.3.2 — Targeted risk analysis Organizations must perform a documented targeted risk analysis for each requirement where customized implementation is used. This formalizes what was previously informal risk acceptance.
Requirement 6.3.2 — Software inventory A maintained inventory of bespoke and custom software is now required. For fintech web teams: your JavaScript dependencies are in scope.
What has not changed: - TLS 1.2 minimum, TLS 1.3 preferred (Requirement 4.2.1) - No TLS 1.0 or 1.1 in the cardholder data environment - Strong cryptography for all transmission of cardholder data - Penetration testing at least annually and after significant changes
TLS 1.3 and HSTS Preloading for Financial Sites
For fintech, TLS configuration goes beyond "install a certificate." The configuration must be verified, monitored, and documented.
TLS 1.3 specifics for fintech: - 0-RTT (zero round-trip time) session resumption should be disabled for login and payment flows — it is vulnerable to replay attacks - Perfect Forward Secrecy via ECDHE is mandatory — if your private key is compromised in the future, past sessions must remain confidential - Certificate Transparency logs must show your certificate — monitor for unauthorized certificates issued for your domain (a certificate issued by a rogue CA for your domain can enable undetected MITM attacks)
HSTS preloading — the gold standard:
HSTS headers prevent browsers from connecting to your site over HTTP even before the first HTTPS connection. But a standard HSTS header only protects users after their first visit. Preloading embeds your domain in the browser's hardcoded list:
- 1Set the header:
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload - 2Verify all subdomains support HTTPS (the requirement for
includeSubDomains) - 3Submit to hstspreload.org
- 4Allow 1–3 months for propagation to Chrome, Firefox, Safari, Edge
For a payment processing site, there is no acceptable reason not to be on the HSTS preload list. The risk of a user being stripped from HTTPS on first visit (SSL stripping attack) is real, and preloading eliminates it.
Content Security Policy Against Magecart
Magecart is the name for a category of attacks where malicious JavaScript is injected into e-commerce and payment pages to capture card data. Between 2022 and 2025, thousands of fintech and e-commerce sites were compromised via Magecart. The attack vector is typically:
- 1Compromise a third-party script loaded by the payment page (analytics, chat widget, A/B testing tool)
- 2The compromised script is modified to capture form inputs and exfiltrate them to an attacker-controlled domain
- 3The payment page operator is unaware because their own code is unchanged
The CSP defense:
A strict Content Security Policy prevents this by specifying exactly which scripts are allowed to execute and which domains can receive data:
Content-Security-Policy:
default-src 'self';
script-src 'self' 'sha256-HASH_OF_INLINE_SCRIPT' https://js.stripe.com;
connect-src 'self' https://api.stripe.com;
form-action 'self';
frame-ancestors 'none';
base-uri 'self';
object-src 'none';Critical directives for payment pages:
- script-src with explicit hash-based allowlisting of inline scripts (no 'unsafe-inline')
- connect-src limited to your API and explicitly approved payment processors
- form-action 'self' — form submissions cannot be redirected to external domains
- frame-ancestors 'none' — equivalent to X-Frame-Options: DENY, prevents clickjacking
Subresource Integrity for third-party scripts:
<script
src="https://cdn.example.com/analytics.js"
integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/ux0mRKgMDz7kNYF9kJZj5NJ0bpUK"
crossorigin="anonymous">
</script>If the script is modified on the CDN, the hash no longer matches and the browser refuses to execute it. This directly implements PCI DSS 4.0 Requirement 6.4.3.
You can verify your CSP implementation and other security headers with a ZeriFlow scan — it reports on CSP presence, HSTS configuration, and all other relevant headers in one pass.
DMARC and Email Security for Financial Domains
Business Email Compromise (BEC) targeting financial services caused $2.9 billion in losses in 2023 alone (FBI IC3). Attackers impersonate banks, payment processors, and fintech companies to redirect wire transfers and steal credentials. DMARC is the primary technical defense.
For a fintech domain, the target configuration:
v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com; ruf=mailto:dmarc-forensic@yourdomain.com; sp=reject; adkim=s; aspf=s; pct=100p=reject means emails that fail both SPF and DKIM alignment are rejected at the receiving mail server — they never reach the inbox. For a financial domain, this is the only acceptable long-term policy.
Rollout timeline:
1. Week 1–4: p=none — monitor aggregate reports, identify all sending sources
2. Week 4–8: p=quarantine; pct=10 — quarantine 10% of failing emails, verify no legitimate mail breaks
3. Week 8–12: p=quarantine; pct=100 — full quarantine
4. Week 12+: p=reject — full rejection
Never jump straight to p=reject without going through monitoring first. A misconfigured SPF record or an unlisted email sending service can cause legitimate transactional emails to be rejected.
Certificate Monitoring and WAF for Financial Sites
Certificate monitoring:
A financial site with an expired certificate is not just a bad user experience — it breaks trust at the worst possible moment and can be exploited. Certificate monitoring should alert you at: - 30 days before expiry (start renewal process) - 7 days before expiry (escalate — something is wrong) - 1 day before expiry (emergency — page on-call)
Also monitor for rogue certificates: certificates issued for your domain by unauthorized certificate authorities. Use Certificate Transparency monitoring (Facebook CT Monitor, or crt.sh alerts) to receive notifications when any new certificate is issued for your domain.
WAF considerations for fintech:
A Web Application Firewall operates at the application layer and can block: - SQL injection attempts - XSS payloads - Known bot signatures (credential stuffing bots) - Geographic restrictions (block traffic from sanctioned jurisdictions) - HTTP anomalies (malformed requests that indicate scanning tools)
Cloudflare WAF and AWS WAF are the most common choices for fintech. Important: a WAF is a detection and blocking layer, not a substitute for fixing vulnerabilities. It buys time and reduces noise, but a properly defended application should not rely on a WAF to compensate for insecure code.
Fintech Security Compliance Mapping
| Control | PCI DSS 4.0 | SOC 2 | ISO 27001 |
|---|---|---|---|
| TLS 1.2+ | Req 4.2.1 | CC6.7 | A.10.1 |
| HSTS | Req 6.3.1 | CC6.7 | A.14.1.2 |
| CSP / Script management | Req 6.4.3 | CC6.1 | A.14.2.5 |
| DMARC p=reject | — | CC6.7 | A.13.2.3 |
| Certificate monitoring | Req 4.2.1 | A1.2 | A.12.6.1 |
| WAF | Req 6.4 | CC6.6 | A.12.6 |
| Penetration testing | Req 11.4 | CC4.2 | A.18.2.3 |
FAQ
Q: Does PCI DSS apply to us if we use Stripe or PayPal for payments?
A: Using a third-party payment processor reduces your PCI scope significantly but does not eliminate it. If payment forms are hosted entirely by the processor (Stripe Checkout redirect, PayPal hosted pages), you are in SAQ A — the lightest assessment. If you use JavaScript-based card collection (Stripe.js embedded in your page), you are in SAQ A-EP, which includes the new Requirement 6.4.3 script management provisions. If you ever handle raw card data yourself, you are in SAQ D or full QSA assessment territory.
Q: How do I test my CSP without breaking the site?
A: Use Content-Security-Policy-Report-Only header first. It has the same syntax as CSP but only reports violations — it does not block anything. Deploy it for 1–2 weeks, collect the reports (set report-uri to a logging endpoint), identify everything that would be blocked, and adjust your allowlist before switching to enforcement mode.
Q: What is the difference between HSTS and HTTPS?
A: HTTPS is the encrypted connection protocol. HSTS is a browser instruction that says "only ever connect to this domain over HTTPS, even if the user types http://" — and caches that instruction for the duration of the max-age. HTTPS can be bypassed by an SSL stripping attack on first visit; HSTS preloading eliminates that window.
Q: How often should a fintech site run security scans?
A: Automated configuration scanning (TLS, headers, cookies, DNS) should run continuously or at every deployment — configuration drift happens silently when CDN rules change, headers are overwritten by new middleware, or certificate renewal fails. A tool like ZeriFlow is fast enough to run as part of a post-deployment verification pipeline.
Q: Do we need a dedicated security team for PCI DSS compliance?
A: Not necessarily. Smaller fintechs achieve PCI DSS compliance with a combination of a designated security owner (often the CTO), a compliance platform (Vanta, Drata), an external QSA for the annual assessment, and automated tooling for continuous monitoring. The key is documentation and evidence collection — PCI auditors need to see that controls are implemented and monitored, not just that they exist on paper.
Conclusion
Fintech security is a combination of rigorous configuration, continuous monitoring, and documented compliance posture. The technical controls — TLS 1.3, HSTS preloading, strict CSP, DMARC rejection, WAF, certificate monitoring — are well-understood and implementable by any competent engineering team. The challenge is maintaining them as the application evolves and as third-party dependencies change.
Start with a baseline scan to understand your current configuration across all dimensions. It takes 60 seconds and gives you a documented starting point for your compliance program.
Start your free ZeriFlow scan → — no credit card, instant results.