Skip to main content
PCI ComplianceSecurity

Payment iFrames and PCI Compliance

By July 25, 2022October 3rd, 2023No Comments

iFrames are a convenient way for merchants to embed payments into their online store. They allow merchants to process credit and debit card transactions on their own website, without redirecting the customer to a separate page or a third-party platform. However, the merchant doesn’t actually collect, process, or transmit the customer’s payment data on their own form or server.

With iFrames, data collection and processing is all handled by the payment service provider (PSP). This relieves the merchant of many of the burdens around accepting credit card payments, such as long and complicated security questionnaires. Ultimately, payment iFrames can save you time and money while helping you sleep a little easier at night.

How iFrames Prevent Payment Data from Touching Your System

An iFrame, or inline frame, is an object located on one server being presented within an object located on another server. In most payment scenarios, an iFrame solution involves the payment collection screens, hosted by a PSP, embedded in the merchant’s website. The customer enters their payment data on a form within the iFrame, and the PSP securely processes that data without it touching the merchant’s system. To keep the information secure, web browsers implement a barrier between the host webpage (i.e.: your website) and the loaded page (i.e.: the form inside the iFrame), maintaining separation between your code and the iFrame’s content.

iFrames and PCI ComplianceAre Payment iFrames PCI Compliant?

Because iFrames allow for appropriate “sandboxing” of the customers’ payment data, they’re a convenient way for e-commerce merchants to reduce their PCI scope. They protect the card data from being accessed or manipulated in ways that API-based payment processing cannot. This makes iFrame-based payments a preferred method for improving e-commerce security and meeting PCI compliance requirements.

According to the Payment Card Industry’s Best Practices for Securing e-Commerce:

“At present, a merchant implementing an e-commerce solution that uses iFrames to load all payment content from a PCI DSS compliant service provider may be eligible to assess its compliance using a reduced list of controls identified in SAQ A, the smallest possible subset of PCI DSS requirements, because most of the PCI DSS requirements are outsourced to the PSP. The full list of eligibility requirements for use of this reduced self-assessment questionnaire is outlined within the SAQ A document.”

In short: iFrame-based payment processing may help merchants reduce their PCI scope and qualify for a shorter, less time-consuming security audit. This stands in contrast to the API-based payment processing method, in which the merchant’s entire system for handling cardholder data – including their systems, people, and processes – may be subjected to the entire set of PCI DSS controls. This may require a longer, more complicated SAQ than the iFrame method.

Additional PCI Compliance Considerations for Your e-Commerce Website

Of course, it’s not enough to assume that payment iFrames cover all of your bases when it comes to PCI compliance. The PSP that processes, stores, and transmits card data on your behalf must be PCI-DSS compliant. That’s because – even if your payment form is embedded within an iFrame – the sensitive data will still be sent and stored somewhere. It’s crucial to confirm that the payment service provider that you’re entrusting with your data has appropriate measures in place to keep it secure. (You can get up-to-date information on any company’s compliance status on the Visa Global Registry of Service Providers.)

You’ll also need to confirm with your own assessor that the other aspects of your payment infrastructure are appropriately compliant. This includes your web server and shopping cart, and – if you accept payments on other channels than your website – the technologies you use to process your mail order, phone order, or in-person transactions.

Lastly, you’ll need to submit your SAQ information to your acquirer to make sure you’re meeting all of your documentation requirements as a merchant. This is true no matter what processing method(s) or channels you use.

Learn More About Simplifying Your PCI Compliance Efforts with Payment iFrames

At Curbstone, we’ve helped a number of merchants reduce the burdens of compliance while better protecting their customer data. Discover our iFrame-based payment processing technologies or contact us for more information: