Google Pay inside sandboxed iframe for PCI DSS v4 compliance

PCI DSS v4 compliance for checkout pages involves managing payment scripts with authorization, integrity assurance, and inventory maintenance. While techniques like Subresource Integrity (SRI) aren't feasible for Google Pay's pay.js due to its build process, using a sandboxed iframe satisfies compliance by isolating scripts from the parent DOM. This approach, which involves specific sandbox attribute values such as allowing scripts, popups, same-origin access, and forms, has been successfully implemented by Shopify, enabling them to pass the PCI DSS v4 audit. By integrating Google Pay within a sandboxed iframe, businesses can maintain secure and compliant checkout processes, and further support can be sought through the Google Pay & Wallet Console or developer community channels.