PCI scan warnings about ShopWired theme cookies

ShopWired themes use a small number of cookies to support front-end functionality on your website. These cookies are non-sensitive and contain no personal or payment-related information. They exist purely to enable features that depend on browser-side data, such as displaying recently viewed products or maintaining a visitor’s wishlist.

---

The recently_viewed_products cookie stores a list of product IDs that a visitor has viewed while browsing the website. It allows the theme’s JavaScript to display a “Recently Viewed Products” section to that visitor.

To display a list of recently viewed products in the storefront.

A small array of product IDs only. No names, prices, or customer information is stored.

This cookie must be readable by JavaScript in the theme, so it cannot be marked HttpOnly. Doing so would prevent the “Recently Viewed Products” feature from working.

• The Secure flag is automatically added when the website enforces HTTPS, ensuring that the cookie is only transmitted over encrypted connections.
• The cookie is considered non-sensitive because it stores only anonymous product identifiers.

The recently_viewed_products cookie is not a session, authentication, or personal data cookie. It is purely functional and non-sensitive.
It must remain accessible to JavaScript to support storefront functionality. Because of this, it cannot be marked HttpOnly.
The Secure flag ensures it is never transmitted in plain text, and therefore it poses no PCI DSS compliance or data protection risk.

---

The wishlist cookie performs a similar role, allowing the theme to maintain a list of products that a visitor adds to their wishlist.

To store a visitor’s wishlist product IDs between page loads.

An array of product IDs only. No user identifiers, names, or session data.

• The Secure flag is automatically added when the website enforces HTTPS.
• The cookie is not HttpOnly because it must be accessible to JavaScript to render the wishlist correctly in the storefront.

As with the recently_viewed_products cookie, this cookie is non-sensitive and essential for theme-level functionality. It is compliant with PCI DSS standards as it carries no personal or payment data, and is transmitted securely over HTTPS.

---

Some automated PCI vulnerability scanners flag cookies that are not marked HttpOnly or Secure by default.
These warnings do not automatically indicate a security risk — the scanners are unable to determine whether a cookie contains sensitive data or not.

If your PCI scan fails due to recently_viewed_products or wishlist cookies, you should provide the following response to your PCI assessor or scanning company:

The recently_viewed_products and wishlist cookies are functional cookies used by our ecommerce platform (ShopWired) to provide theme-level features such as “Recently Viewed Products” and “Wishlist”.

These cookies store only non-sensitive product IDs and contain no personal, authentication, or payment-related data.

They are intentionally accessible to JavaScript because they are required for front-end functionality in the website’s theme. Applying the HttpOnly flag would break this functionality.

The Secure flag is applied on all HTTPS-enforced websites, ensuring that the cookies are only transmitted over encrypted connections.

These cookies therefore present no PCI DSS compliance or security risk. For more information consult https://help.shopwired.io/guide/pci-scan-warnings-about-shopwired-theme-cookies.

Once you provide this explanation, the PCI assessor will usually mark the finding as informational or false positive and pass the scan.

You do not need to make any changes to your ShopWired account or theme.

---