Skip to main content
PCI ComplianceSecurity

Payment iFrames and PCI Compliance

By July 25, 2022July 27th, 2022No Comments

iFrames are a convenient way for merchants to embed payments into their online store. They allow merchants to process credit and debit card transactions on their own website, without redirecting the customer to a third-party platform. However, the merchant doesn’t actually collect, process, or transmit the customer’s payment data. This is all handled by the payment service provider, or PSP. Offloading this operation to a PSP relieves the merchant of many of the burdens around accepting credit card payments, saving you time and money while helping you sleep a little easier at night.

How iFrames Prevent Payment Data from Touching Your System

An iFrame, or inline frame, is an object located on one server being presented within an object located on another server. In most payment scenarios, an iFrame solution involves the payment collection screens, hosted by a PSP, embedded in the merchant’s site.

iFrames and PCI ComplianceBecause iFrames allow for appropriate “sandboxing” of the customers’ payment data, they’re a convenient way for e-commerce merchants to reduce their PCI scope. They protect the card data from being accessed or manipulated in ways that API-based payment processing cannot – making them a preferred method for improving security and meeting PCI compliance requirements.

According to the Payment Card Industry’s Best Practices for Securing e-Commerce:

“At present, a merchant implementing an e-commerce solution that uses iFrames to load all payment content from a PCI DSS compliant service provider may be eligible to assess its compliance using a reduced list of controls identified in SAQ A, the smallest possible subset of PCI DSS requirements, because most of the PCI DSS requirements are outsourced to the PSP. The full list of eligibility requirements for use of this reduced self-assessment questionnaire is outlined within the SAQ A document.”

In short: iFrame-based payment processing may help merchants reduce their PCI scope and qualify for a shorter, less time-consuming compliance audit. This stands in contrast to the API-based payment processing method, in which the merchant’s entire system for handling cardholder data – including their systems, people, and processes – may be subjected to the entire set of PCI DSS controls.

Additional PCI Compliance Considerations for Your e-Commerce Website

Of course, it’s not enough to assume that payment iFrames cover all of your bases when it comes to compliance. The PSP that processes, stores, and transmits card data on your behalf must be PCI-DSS compliant. (You can check a company’s status on the Visa Global Registry of Service Providers.) You’ll also need to confirm with your own assessor that the other aspects of your payment infrastructure are appropriately compliant. This includes your web server and shopping cart, and – if you accept payments on other channels – the technologies you use to process your mail order, phone order, or in-person transactions. Lastly, you’ll need to submit your compliance documentation to your acquirer to make sure you’re meeting all of your reporting requirements.

Learn More About Simplifying Your PCI Compliance Efforts with Payment iFrames

At Curbstone, we’ve helped a number of retailers reduce the burdens of compliance. Discover our iFrame-based payment processing technologies or request more information about our solutions: