By Natasja Bolton, Senior Acquirer Support
Businesses like the iFrame method as it allows them to entirely outsource the capture and processing of cardholder data. The data is outsourced to a validated Payment Card Industry Data Security Standard (PCI DSS) compliant Payment Service Provider (PSP).
From a consumer perspective it offers a streamlined checkout process and appears that they never left the website where they are making their purchase, from the ecommerce business’s perspective it offers an easier PCI DSS compliance route.
These guidelines included a recommendation that implied the use of iFrames to present the PSP’s hosted payment page was no longer acceptable because it is not possible for consumers to identify when they are communicating with the PSP. As a result, Sysnet suggested that this could be the end of the road for ecommerce iFrames.
A new iFrame man-in-the middle attack
Last week a new method of attack against ecommerce iFrame payment page implementations emerged that further highlights the risks of hosted payment pages. Is this attack one more nail in the coffin for iFrame use?
The iFrame breach was complex involving compromise of the merchant website, the introduction of malware and access to the website’s database. The attacker was able to manipulate the website’s interaction with the payment service provider (PSP), the instantiation of the iFrame and generation of the unique transaction ID.
Insecure websites can leave cardholder data compromised, regardless of whether they use a hosted payment page or an iFrame redirected payment page.
PCI DSS for ecommerce websites
SAQ A-EP is effective in improving the security of consumer ecommerce payments by reducing the risk of merchant website compromise in the first place. However, the controls included in the SAQ A-EP are not required for ecommerce websites using iFrame hosted payment page implementations.
However, the iFrame payment method is subject to the SAQ A questionnaire which has significantly less requirements due its perceived protection of cardholder data. The new v3.2 SAQ A has adopted some new requirements to improve the security of the merchant website, intended to address the fact that iFrame attacks aren’t new but are becoming increasingly prevalent.
iFrame attacks usually involve manipulation of the iFrame redirect code to invoke the attacker’s own payment page instead of the PSP’s. These types of breaches can be spotted as the consumer is presented with the attacker’s iFrame, which will have differences to the legitimate PSP’s.
However, with this newly identified iFrame attack method it appears that security controls adopted into SAQ A v3.2 may not go far enough to protect the merchant or the consumer; the risk of transparent, and hence longer-term and larger, data breaches has grown.
Recommendations to mitigate this new risk
Sysnet has a number of recommendations for acquirers and payment service providers to reduce the risk of consumer payment card compromise:
Actions for your merchant customers:
- Encourage your ecommerce customers using iFrame integrations to move to a redirect to the PSP’s hosted payment page. The URL, security and identity of the PSP’s payment page can easily be verified by the consumer.
- Encourage your ecommerce customers using iFrame integrations to implement the SAQ A-EP controls to further protect their website from attackers.
Actions for Payment Service Providers:
- Track and restrict the source IP address requesting generation of the iFrame payment page and generation of the unique transaction ID to ensure that both requests come from the same source IP, the merchant’s web server.
- Track the source IP address of the final iFrame submission. This should come from a different IP from that which requested the generation of the iFrame payment page and transaction ID. The final iFrame submission is returned by the consumer.
- By tracking these IP addresses through the transaction process PSPs could be alerted to these man-in-the-middle iFrame attacks.
Sysnet can assist with an awareness campaign via our Merchant Contact Services to highlight to your ecommerce customers the risks of iFrame usage and to guide them in the actions they should take to avoid being breached. For further information request a callback or email firstname.lastname@example.org
If you are a merchant that requires technical or PCI DSS help, please click here