Payment Page Security Controls
Overview
Card data is entered directly into hosted fields or iframes provided by the campground's configured payment gateway (e.g. eWay, Square, Pin Payments, ANZ Worldline, Westpac OnlinePay). Camper BMS does not receive, transmit, or store cardholder data.
For a breakdown of which security responsibilities sit with Camper BMS, the campground, and the payment provider, see the PCI DSS Shared Responsibility Matrix.
Script Authorisation
Camper BMS deploys Content Security Policy (CSP) controls with per-request cryptographic nonces to authorise scripts and restrict third-party resources on payment pages.
Camper BMS deploys nonce-based CSP controls to restrict which scripts and third-party resources are authorised to load and execute on payment pages.
Third-party script domains are limited to configured payment providers and approved supporting services, including:
The campground's configured payment gateway.
Google Maps (for address autocomplete on booking pages).
Analytics providers (Google Analytics, Google Tag Manager, Facebook Pixel).
Script Inventory
A documented inventory of all scripts that load on payment pages is maintained and reviewed quarterly. The inventory records each script's source, purpose, and authorisation method.
Tamper Detection and Alerting
CSP violation reports are collected when browsers detect policy violations or blocked resources on a payment page. Violations are stored and may generate administrator alerts to support investigation and review.
Violation records are retained for 36 months, after which they are automatically deleted by a scheduled data retention job.
CSP controls may operate in staged enforcement modes during onboarding or validation of new payment provider integrations and 3-D Secure authentication flows.
Transport Security
All payment pages are served exclusively over HTTPS with TLS. HTTP Strict Transport Security (HSTS) headers are set with a one-year max-age including subdomains.
Security Headers
The following headers are applied to production responses. Some headers differ between the administrative application and the embedded booking widget, because the widget is designed to be loaded inside a merchant-controlled iframe.
Header | Application Pages | Embedded Booking Widget |
|---|---|---|
Content-Security-Policy / Content-Security-Policy-Report-Only | Nonce-based policy with domain allowlisting, operating in staged enforcement modes where applicable | Per-request nonce-based policy with domain allowlisting, plus a |
Strict-Transport-Security |
|
|
X-Content-Type-Options |
|
|
X-Frame-Options |
| Not set - iframe embedding is required and is restricted via the CSP |
Referrer-Policy |
|
|
Permissions-Policy |
|
|
Cross-Origin-Opener-Policy |
| Not set - applied to application pages only so the widget can load inside a merchant-controlled iframe |
Cross-Origin-Resource-Policy |
| Not set - applied to application pages only so the widget can load inside a merchant-controlled iframe |
X-Permitted-Cross-Domain-Policies |
|
|
Reporting-Endpoints / Report-To | CSP violation endpoint configured | CSP violation endpoint configured |
Supported Payment Gateways
Gateway | Integration Method |
|---|---|
eWay | Hosted Secure Fields |
Square | Web Payments SDK (hosted fields) |
Pin Payments | Hosted Fields |
Westpac OnlinePay (Verifone) | Hosted checkout iframe |
ANZ Worldline | Hosted tokenisation iframe |
Related Documents
Related articles
Still need a hand?
Our support team is happy to help.
Contact support