Are there drawbacks to credit card payment forms via an iframe? [closed]

Question

A common feature I see in a lot of small business ecommerce websites is that when I click on the CHECKOUT button, I am taken away from the website and redirected to the url of a 3rd party payment gateway like paypal, authorize.net etc... After I make my payment on this 3rd party site, I am redirected back to the small business ecommerce website.

I would like to simplify this process for a few clients of mine. I plan to make a payment form that others can embed into their website via an iframe. The payment form will be behind an SSL. When my payment form receives information, I will pass it along to a merchant gateway like paypal, and reload the iframe with the success/fail response.

Are there any major issues to this iframe approach? I ask because I don't recall payment gateways like paypal offering iframe embed codes for their payment pages, even though it seems a trivial thing to offer. If they can offer a checkout url to website owners to embed into their page, they should just as easily be able to offer an iframe embed code.

Answer 1

A fundamental aspect of the security of an HTTPS connection is the verification of the identity of the remote party. It's one thing to exchange data secretly with someone, but you need to know with whom.

From a technical point of view, the server's identity is verified using its certificate:

• It needs to be trusted, i.e. the client can verified it was issued by an authority it trusts (RFC 3280/5280).
• It needs to be issued to the entity the client wants to talk to, i.e. the host name needs to be verified (RFC 2818, Section 3.1).

However, the technical aspect is only part of the solution. The user needs to be able to see which site the browser is trying to connect to. This is a user interface problem, and only the user can check what the browser is trying to do, within reason of what its UI is displaying (it's unrealistic to expect most users to use developer tools).

Using an iframe hides the name of the site to which the user is actually connected for that iframe (only the address of the main page is displayed in the address bar). This prevents the user making this verification.

In addition, it would be even worse if the HTTPS iframe was within an HTTP page, in which case the user couldn't even check that HTTPS is used at all.

There are bad example of embedded iframes, in particular 3-D Secure, because (a) it recommends using an iframe and (b) even if an iframe wasn't used, the name generally has nothing to do with the user's bank, the merchant site or the credit card company.