One more nail in the coffin for iFrames?

One more nail in the coffin for iFrames?

By Natasja Bolton, Senior Acquirer Support

Businesses like the iFrame method as it allows them to entirely outsource the capture and processing of cardholder data. The data is outsourced to a validated Payment Card Industry Data Security Standard (PCI DSS) compliant Payment Service Provider (PSP).


From a consumer perspective it offers a streamlined checkout process and appears that they never left the website where they are making their purchase, from the ecommerce business’s perspective it offers an easier PCI DSS compliance route.


In a previous article entitled The end of the road for Ecommerce iFrames? we  wrote about the release of new European Guidelines for the Security of Internet Payments


These guidelines included a recommendation that implied the use of iFrames to present the PSP’s hosted payment page was no longer acceptable because it is not possible for consumers to identify when they are communicating with the PSP.  As a result, Sysnet suggested that this could be the end of the road for ecommerce iFrames.


A new iFrame man-in-the middle attack

Last week a new method of attack against ecommerce iFrame payment page implementations emerged that further highlights the risks of hosted payment pages. Is this attack one more nail in the coffin for iFrame use?


The iFrame breach was complex involving compromise of the merchant website, the introduction of malware and access to the website’s database.  The attacker was able to manipulate the website’s interaction with the payment service provider (PSP), the instantiation of the iFrame and generation of the unique transaction ID. 


A consumer accessing the breached ecommerce site was presented with an apparently legitimate iFrame of the PSPs’ payment page and able to submit their card details, unaware that the attacker had appended JavaScript and was capturing their payment card data. The only indication of anything untoward was that the consumer’s first submission ‘disappeared’ and they were presented with the (now legitimate) iFrame again.


Insecure websites can leave cardholder data compromised, regardless of whether they use a hosted payment page or an iFrame redirected payment page.


Webpage URL

Find out more about our Cyber Security and Compliance Solutions

Request a Callback

PCI DSS for ecommerce websites

The Self-Assessment Questionnaire (SAQ) A-EP was introduced with PCI DSS v3.0. Its purpose was to address the more complex ecommerce integrations where manipulation of merchant created payment pages (and JavaScript) by an attacker can allow cardholder data to be captured unknowingly.


SAQ A-EP is effective in improving the security of consumer ecommerce payments by reducing the risk of merchant website compromise in the first place.  However, the controls included in the SAQ A-EP are not required for ecommerce websites using iFrame hosted payment page implementations.


However, the iFrame payment method is subject to the SAQ A questionnaire which has significantly less requirements due its perceived protection of cardholder data. The new v3.2 SAQ A has adopted some new requirements to improve the security of the merchant website, intended to address the fact that iFrame attacks aren’t new but are becoming increasingly prevalent. 


iFrame attacks usually involve manipulation of the iFrame redirect code to invoke the attacker’s own payment page instead of the PSP’s.  These types of breaches can be spotted as the consumer is presented with the attacker’s iFrame, which will have differences to the legitimate PSP’s. 


However, with this newly identified iFrame attack method it appears that security controls adopted into SAQ A v3.2 may not go far enough to protect the merchant or the consumer; the risk of transparent, and hence longer-term and larger, data breaches has grown.


Recommendations to mitigate this new risk

Sysnet has a number of recommendations for acquirers and payment service providers to reduce the risk of consumer payment card compromise:

Actions for your merchant customers:


  • Encourage your ecommerce customers using iFrame integrations to move to a redirect to the PSP’s hosted payment page. The URL, security and identity of the PSP’s payment page can easily be verified by the consumer.
  • Encourage your ecommerce customers using iFrame integrations to implement the SAQ A-EP controls to further protect their website from attackers.
Actions for Payment Service Providers:
  • Track and restrict the source IP address requesting generation of the iFrame payment page and generation of the unique transaction ID to ensure that both requests come from the same source IP, the merchant’s web server.
  • Track the source IP address of the final iFrame submission. This should come from a different IP from that which requested the generation of the iFrame payment page and transaction ID. The final iFrame submission is returned by the consumer.
  • By tracking these IP addresses through the transaction process PSPs could be alerted to these man-in-the-middle iFrame attacks.

Sysnet can assist with an awareness campaign via our Merchant Contact Services to highlight to your ecommerce customers the risks of iFrame usage and to guide them in the actions they should take to avoid being breached. For further information request a callback or email


Like this Article?

Subscribe to receive more tips & news about Cyber Security, Compliance and a lot more!

  • Sysnet Global Solutions will use the information you provide on this form to be in touch with you regarding non-promotional as well as promotional material by email and phone. If you agree to same, then please select the ‘I consent’ box after reading the terms and conditions listed below in relation to consent. You can change your mind at any time by clicking the unsubscribe link in the footer of any email you receive from us, update your preferences for communications, content etc. by clicking on the update my preferences button in any email we send you or by contacting us at We will treat your information with respect. For more information about our privacy practices please visit our website. By clicking below, you agree that we may process your information in accordance with these terms. We use Pardot as our marketing automation platform. By clicking below to submit this form, you acknowledge or agree that the information you provide will be transferred to Pardot for processing in accordance with their Privacy Policy and Terms