DEVDOCS-6170 - [New Doc] Guide for PCI on Checkout

[bc-terra]

Providing a developer guide for updating custom checkout to include PCI DSS 4.0 Section 6.4.3 compliance features

DEVDOCS-6170

What changed?

• PCI DSS 4.0 Section 6.4.3 requires the inclusion of nonce-based authentication and SRI for checkout pages
• BigCommerce provides this functionality via updated features in control panel settings and Open Checkouts
• This provides a guide for developers for the use of the functionality.

Release notes draft

• Created new guide for setting up PCI compliant features on checkout

Anything else?

SME review waived by GTM team.
Navigation update to be requested and managed separately.

ping {names}

[bc-0dp]

I have no real comments, and I think it looks great. One thing I notice though is the url is open-checkouts plural but the navigation in the dev docs is singular open-checkout

Don't think it's that important but it cought my eye

[bc-traciporter]

@bc-terra good technical article. I made some editorial suggestions.
The style guide specifies to use control panel, not Control Panel.

I had chatgpt to review it as well. Maybe you can talk to the team about the feedback and if it is needed incorporate it later. The feedback was the following:

• In Step 2, it assumes there is prior knowledge about how the openssl command works. Consider adding a brief explanation of what openssl is doing.
• In Step 4, you might want to add a clarification that nonce values are dynamically generated for each request and should not be hardcoded. Also explain why nonce-based authorization is required under PCI DSS 4.0.

[bc-terra]

• In Step 2, it assumes there is prior knowledge about how the openssl command works. Consider adding a brief explanation of what openssl is doing.
• In Step 4, you might want to add a clarification that nonce values are dynamically generated for each request and should not be hardcoded. Also explain why nonce-based authorization is required under PCI DSS 4.0.

Added reference for OpenSSL command line to the links, as this doc does assume some level of knowledge, but resources are always helpful.

Added statement about purpose of nonce-based authorization with respect to PCI 4.0 and a callout that values are randomly generated and not to be stored.

[bc-traciporter]

Nice work @bc-terra