Considerations when Selecting an iFrame Payment Solution

Merchants that want to integrate payments directly into their website or application have several options for doing so, but will often eventually look to iframe (inline frame) payment gateway pages to achieve this. 

These iframe pages offered through gateways are often embedded directly into a website or application, but controlled and hosted entirely through a gateway provider. iframe gateways offer significant benefits to merchants, including a quick time to go live, but also come with drawbacks like reduced control.

Overview of Payment Gateways

A payment gateway is a specialized payment processor that serves the unique needs of a specific merchant vertical group. Payment gateways are designed to provide a seamless and secure payment experience for customers, while also offering specialized features and services specific to the needs of different industries.

Gateways help verify that a customer’s card is legitimate - essentially acting as the virtual version of a point-of-sale chip reader that can protect both your shoppers’ payment data and decrease your risks of fraud. 

Popular payment gateways include:

• PayPal
• 2checkout
• Authorize.net
• Stripe (technically both a gateway and processor)

Payment Gateways: The iFrame Checkout Flow

Depending on the payment gateway selected, a checkout page is often offered as part of the gateway’s technology stack. These flows are broken down into three broad categories:

• On-site payment gateways give merchants significant control over the payment experience; however this flexibility means the merchant must build their own checkout flows.
• Hosted payment gateways (or redirects) send customers to a third-party site for checkout and payment processing, as is commonly done with PayPal checkout. While these gateways are generally simple to implement, the merchant has very little control over the payment experience.
• On-site checkout, off-site payments is where customers can check out on a merchant’s website while payment processing takes place at the gateway’s back end, giving the merchant partial control over the experience.

These payment gateway iframes could technically be leveraged in any one of the solutions, depending on how the gateway’s technology is built. Out-of-the-box solutions often fall in the final two categories, while on-site gateways require more development to go live. 

Are iFrame Payment Solutions Safe to Use?

Because of the nature of iframes, “safe” is a relative term. If the selected gateway provider is reputable and reliable, there is minimal risk to the merchant, as the merchant wouldn’t be handling any of the payments directly. The gateway would handle the risks, and the processing would happen entirely through the gateway on an embedded screen on the merchant’s website.

In this case, the merchant’s lack of control can be seen as a huge benefit. The merchant, barring any ill-advised code injection or data interception, would have a secure gateway by simply embedding directly into their own solution out-of-the-box.

However, if the selected gateway provider does not have great security practices, those practices will carry through to the iframe flow, as well. No matter how compliant and secure the merchant attempts to be with their processes, the security of the cardholder data will be at the mercy of the gateway.

In this case, the lack of control by the merchant would be seen as a detriment. The iframe cannot be manipulated to instantly become “secure” if the content within the iframe has a security flaw.

PCI Compliance Considerations

Similar to the earlier point, because the sensitive data never touches the merchant’s servers, there is little needed from a merchant to achieve and maintain PCI compliance. If the gateway offers the payment flow in a PCI compliant manner, the merchant can simply embed the iframe and offer a compliant flow.

Therefore, iframe payment flows can significantly reduce the time and effort required to achieve PCI compliance.

Branding and Styling Considerations

The branding and styling of iframe payment pages would be controlled by the gateway. Some providers offer the ability to customize the look, feel, colors, and branding of the gateway, but this often has limitations. For some merchants that want a quick go-live and simple design, this can be seen as a benefit.

In other cases, this can be seen as a drawback. For merchants that want a seamless checkout experience that perfectly matches every pixel of the brand’s digital assets, iframe gateways will likely fall short. 

Documentation and Ease of Use

These iframe checkout flows are often seen as relatively easy to implement and use. Most of the time, the gateways won’t require significant development to go live. To all intents and purposes, the bare minimum requirement is simply a web page with an iframe area that displays the gateway; anything beyond is likely undertaken as drag-and-drop configuration on the gateway’s administration interface, and likely requires no coding.

Security and Compliance - With More Control

If a merchant finds that out-of-the-box payment gateway solutions don’t fit the bill, they could choose to self-host the checkout flow and implement a solution like Basis Theory Elements. Leveraging the React Elements SDK, form elements will render a secure iFrame for capturing the data and then store it in a secure vault.

Elements offers a fast, dynamic, and secure way to seamlessly collect information within applications without exposing any systems to the underlying sensitive data. Elements are completely customizable, giving merchants complete control over the user experience while also keeping systems outside of PCI compliance scope.

If you would like a PCI compliant solution for collecting card data, storing it, and leveraging it as if it were in your own system, contact our payment experts today to learn more.