facebook noscript

iFrames for E-Commerce Security

February 23, 2022
iFrames for E-Commerce Security

What is an iFrame?

According to the Payment Card Industry (PCI) Security Standards Council’s (SSC) guide to “Best Practices for Securing E-commerce,” an iFrame (or Inline Frame) is a secure method of embedding content from one webpage into another webpage.

For security purposes, modern iFrames have a “sandbox” capability that isolates the embedded frame’s content to ensure that its contents are not accessible to anyone, even the hosting website, and cannot be manipulated via exploits or by malicious individuals.

iFrames for E-Commerce

In the world of e-commerce, iFrames make it possible for merchants to embed payment service provider (PSP) iFrames on their websites. During the merchant’s checkout process, the PSP receives all of the customer’s cardholder data, while the merchant does not and cannot see or access it.

Here is how the iFrame process works:

  1. A merchant embeds a PSP iFrame in its webpage.
  2. A customer requests a PSP payment form via the iFrame.
  3. The PSP sends the payment form directly to the customer via the iFrame.
  4. The customer enters payment details into the PSP’s form.
  5. The PSP receives the payment details directly from the customer.
  6. The PSP requests payment authorization on behalf of the merchant and the customer.

Compare this to the significantly increased risk to merchants when they accept payment data directly, such as via the Direct Post Method or API.

iFrame Security

iFrames improve security by leveraging the Same-Origin Policy, enforced by all modern web browsers. It restricts how a document or script loaded by one origin – a URL with the same “tuple” of protocol, port, and host – can interact with a resource from another origin. Thus, documents and scripts from different origins cannot interact unless explicitly authorized to do so.

The Same-Origin Policy isolates and prevents (potentially malicious) scripts on the merchant website from interacting with third-party content and communications, such as a PSP payment form inside the iFrame. In turn, this makes it difficult for an attacker, who may possess some level of control over the merchant’s website, to read or steal cardholder data.

Merchants that implement an iFrame solution for e-commerce gain significant marketplace advantages, and not merely in terms of security and privacy. They may also be eligible to assess their compliance using a reduced list of controls identified in the PCI DSS SAQ and Attestation of Compliance because most PCI DSS requirements are outsourced to the PSP. Merchants can ask their acquirer (merchant bank) and the payment brands whether they must validate their PCI DSS compliance and according to which reporting method.

In this e-commerce scenario, the PSP performs the lion’s share of cardholder data security on behalf of the merchant, both for data at rest and in transit. Therefore, PCI DSS strongly recommends that merchants ensure their PSP is validated as a PCI DSS-compliant service provider. This will also enable an easier route to PCI DSS compliance for the merchant.

Merchant Impact

For merchants, a payments architecture built on top of iFrames has numerous benefits:

  • Payment card data is never collected, stored, processed, or transmitted.
  • Lower PCI DSS scope.
  • Fewer applicable PCI DSS requirements.
  • Fewer systems need security controls.
  • Fewer information security threats.
  • Lower risk of system compromise.
  • iFrames are easy to implement.

iFrames also offer a better customer payment experience: they have a better “look and feel” than redirect payment methods because the payment page matches existing website design, and the customer remains on the merchant website throughout their shopping experience.

Don't miss the next Developer Office Hours with our CTO

Join Us

Advanced Threats

However, just because a technology is useful does not mean that cybercriminals give up or stop evolving. Information security researchers have discovered some cases in which attackers could gain access to a merchant’s website and then modify the website’s scripts to inject a skimmer script into the hosted iframe. The result is a stealthy attack in which both the merchant and the attacker receive the payment data. Because the transaction is still successful, this type of attack can be hard to discover.

In this attack scenario, the merchant is still responsible for any stolen personally identifiable information (PII), as well as the resulting fines. Merchants must also adhere to other security best practices and controls to reduce e-commerce risk. To defeat a truly determined attacker, they should use some combination of unique user IDs, effective passwords, authentication, system hardening, vulnerability management, monitoring, alerting, and more.

For many merchants, however, mastering the art and science of information security – on top of growing their business – is a lot to ask. Therefore, to strengthen their iFrame implementation, the PCI guide to “Best Practices for Securing E-commerce” also recommends that merchants consider using additional layers of information security, which are often made available by their PSP. Such tools and controls should detect and report suspicious transactions or unusual activity that may be indicators of compromise, and they should be configurable.

iFrames + VGS

To protect its clients, VGS leverages the incredible power of iframes. Our Collect.js JavaScript library allows you to securely collect data via any form, adhering to security requirements like PCI DSS, HIPAA, GDPR, and CCPA. To make it even easier, VGS customers do not need to implement an iFrame themselves but merely use a VGS loader that specifies a secure iFrame for them.

However, iFrames are only one game-changing technology that VGS offers. Our solutions allow you to collect, protect, and exchange sensitive data with ease:
1. Collect

  • VGS provides multiple methods to collect sensitive data securely.
  • Sensitive data never touches customer systems.
  • Secure web form Collect.js handles HTTPS, SFTP, edge integrations.
  • Native iOS and Android SDKs, Vault API, third party integrations like Netlify.

2. Protect

  • Intercept data as it flows to your servers.
  • Redact sensitive data and replace it with an alias.
  • Your company operates on aliases just like real, original data.
  • Your company offloads liability and removes the risk of data breach.
  • VGS Vault holds original data in its secure environment, with tightly controlled access.

3. Exchange

  • On outbound requests, VGS transforms aliases back to their original values.
  • In real-time, a destination endpoint receives the original data.
  • Filters and operations protect the data from your application to its destination.
  • Dynamic routing services enable switching between multiple third parties.

Thus, VGS solutions minimize the risk of a data breach, take your company out of regulatory scope, and set your company on a path to security, privacy, and compliance.

Click here for a free demo of VGS solutions.

Ken Geers Kenneth Geers, PhD

Information Security Analyst at VGS


You Might also be interested in...


Public Statement on Ukraine War

Chuck Yu February 24, 2022

Using gRPC, and WASM to transform data inside Envoy Proxy

Using gRPC and WASM to Transform Data Inside Envoy Proxy

Marshall Jones
Fang-Pen Lin
February 16, 2022

How Merchants Are Making Payments a Competitive Advantage

How Merchants Are Making Payments a Competitive Advantage

Jordan McKee February 10, 2022