Skip to main content
Information Security

You are not logged in. Your edit will be placed in a queue until it is peer reviewed.

We welcome edits that make the post easier to understand and more valuable for readers. Because community members review edits, please try to make the post substantially better than how you found it, for example, by fixing grammar or adding additional resources and hyperlinks.

3
  • That's a great answer. I guess there's two different things going on here. There's the practical civil liability issue of complying with PCI. The other side is the (questionable?) technical advantages of using an iframe instead of using your own form and sending the details directly to the vendor (no sensitive data going to your servers). Unless I'm mistaken, the two approaches mean two different levels of PCI requirements. Just trying to separate out the security reality from the security theatre. Commented Apr 23, 2021 at 22:59
  • @Acorn My vendor isn't going to accept a "blind" form submission of CC data from a client it hasn't already interchanged cookies with. They like to ask for payment data at the very end after "checkout", ID/email, and shipping details are worked out. By doing it last they don't need to retain CVV. Commented Apr 24, 2021 at 0:48
  • +1 to the suggestion that this is focused more on organisational risk than anything. I've moved payment forms to an iframe just because it would make it easier to comply with certain regulations that impact things like who has access to servers etc. Commented Apr 24, 2021 at 12:04