Why some payment methods allow being embedded in an iframe and some don't?



  • Let's take some examples:

    1. Pay Pal, Apple Pay (examples via Saferpay) - will not load in an iFrame
    2. Visa Checkout, Stripe (example), Saferpay (link above) - credit card data can be input in an iFrame

    Is there any technical/security reason why payment service providers differ in their approach to restricting iframe usage for credentials/payment information input? Or this is simply difference in risk management (and its supporting technologies for fraud prevention), business decision or maybe a legacy (and non-secure) integration architecture?



  • One contributing factor may be that PCI SSC rewards use of iframes by granting SAQ A status to merchants who use it, lowering the number of audit requirements down to a bare minimum. That would explain why you see it more commonly with credit cards, although as @Bobson pointed out many alternative payments also support iframes.



Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2