Camper BMS
Login

Payment Page Security Controls

Overview

Card data is entered directly into hosted fields or iframes provided by the campground's configured payment gateway (e.g. eWay, Square, Pin Payments, ANZ Worldline, Westpac OnlinePay). Camper BMS does not receive, transmit, or store cardholder data.

For a breakdown of which security responsibilities sit with Camper BMS, the campground, and the payment provider, see the PCI DSS Shared Responsibility Matrix.

Script Authorisation

Camper BMS deploys Content Security Policy (CSP) controls with per-request cryptographic nonces to authorise scripts and restrict third-party resources on payment pages.

Camper BMS deploys nonce-based CSP controls to restrict which scripts and third-party resources are authorised to load and execute on payment pages.

Third-party script domains are limited to configured payment providers and approved supporting services, including:

  • The campground's configured payment gateway.

  • Google Maps (for address autocomplete on booking pages).

  • Analytics providers (Google Analytics, Google Tag Manager, Facebook Pixel).

Script Inventory

A documented inventory of all scripts that load on payment pages is maintained and reviewed quarterly. The inventory records each script's source, purpose, and authorisation method.

Tamper Detection and Alerting

CSP violation reports are collected when browsers detect policy violations or blocked resources on a payment page. Violations are stored and may generate administrator alerts to support investigation and review.

Violation records are retained for 36 months, after which they are automatically deleted by a scheduled data retention job.

CSP controls may operate in staged enforcement modes during onboarding or validation of new payment provider integrations and 3-D Secure authentication flows.

Transport Security

All payment pages are served exclusively over HTTPS with TLS. HTTP Strict Transport Security (HSTS) headers are set with a one-year max-age including subdomains.

Security Headers

The following headers are applied to production responses. Some headers differ between the administrative application and the embedded booking widget, because the widget is designed to be loaded inside a merchant-controlled iframe.

Header

Application Pages

Embedded Booking Widget

Content-Security-Policy / Content-Security-Policy-Report-Only

Nonce-based policy with domain allowlisting, operating in staged enforcement modes where applicable

Per-request nonce-based policy with domain allowlisting, plus a frame-ancestors directive restricted to the campground's configured embed origins, in staged enforcement modes where applicable

Strict-Transport-Security

max-age=31536000; includeSubDomains

max-age=31536000; includeSubDomains

X-Content-Type-Options

nosniff

nosniff

X-Frame-Options

DENY

Not set - iframe embedding is required and is restricted via the CSP frame-ancestors allowlist

Referrer-Policy

strict-origin-when-cross-origin

strict-origin-when-cross-origin

Permissions-Policy

accelerometer=(), camera=(), display-capture=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), usb=(), xr-spatial-tracking=()

accelerometer=(), camera=(), display-capture=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), usb=(), xr-spatial-tracking=()

Cross-Origin-Opener-Policy

same-origin-allow-popups

Not set - applied to application pages only so the widget can load inside a merchant-controlled iframe

Cross-Origin-Resource-Policy

same-origin

Not set - applied to application pages only so the widget can load inside a merchant-controlled iframe

X-Permitted-Cross-Domain-Policies

none

none

Reporting-Endpoints / Report-To

CSP violation endpoint configured

CSP violation endpoint configured

Supported Payment Gateways

Gateway

Integration Method

eWay

Hosted Secure Fields

Square

Web Payments SDK (hosted fields)

Pin Payments

Hosted Fields

Westpac OnlinePay (Verifone)

Hosted checkout iframe

ANZ Worldline

Hosted tokenisation iframe

Related Documents

Related articles

Still need a hand?

Our support team is happy to help.

Contact support