Why some payment methods allow being embedded in an iframe and some don't?
emmalee last edited by
Let's take some examples:
- Pay Pal, Apple Pay (examples via Saferpay) - will not load in an iFrame
- Visa Checkout, Stripe (example), Saferpay (link above) - credit card data can be input in an iFrame
Is there any technical/security reason why payment service providers differ in their approach to restricting iframe usage for credentials/payment information input? Or this is simply difference in risk management (and its supporting technologies for fraud prevention), business decision or maybe a legacy (and non-secure) integration architecture?
One contributing factor may be that PCI SSC rewards use of iframes by granting SAQ A status to merchants who use it, lowering the number of audit requirements down to a bare minimum. That would explain why you see it more commonly with credit cards, although as @Bobson pointed out many alternative payments also support iframes.