Security standards for forms with payment questions

To protect sensitive payment information and maintain stringent PCI DSS compliance standards, forms that include payment questions have additional security controls. These protections prevent unauthorized scripts from capturing or tampering with payment data.

What is PCI DSS?

PCI DSS stands for Payment Card Industry Data Security Standard. It refers to compliance requirements for handling payment information. These standards ensure that sensitive payment data remains protected.

Why are these security measures required?

These controls prevent malicious scripts from accessing payment information, a type of attack often referred to as e-skimming, and ensure the security of both form creators and respondents during sensitive payment processing.

They also meet mandatory PCI DSS requirements, including requirement 6.4.3 (managing and authorizing scripts on payment pages) and requirement 11.6.1 (detecting unauthorized changes on payment pages). Learn more about these requirements on the PCI Security Standards website.

How do these security measures work?

Forms that collect payment information enforce a Content Security Policy (CSP). This security layer automatically blocks any script that has not been explicitly approved by the security team at Typeform from running on the payment page. Only verified scripts necessary for payment processing, form functionality, and official Typeform integrations can run.

What scripts still work in forms that include a payment question

Official Typeform integrations function as intended, including Google Analytics and Facebook Pixel. Scripts from recognized, authorized providers may continue to load. However, we recommend testing your form to verify this.

What scripts may be blocked in forms that include a payment question

Any external scripts from unrecognized providers, custom code snippets, or third-party modifications that rely on direct JavaScript injection will likely be blocked by the CSP layer and will not run.