W3C home > Mailing lists > Public > public-webappsec@w3.org > August 2016

Iframes and credit card security

From: Craig Francis <craig@craigfrancis.co.uk>
Date: Mon, 15 Aug 2016 14:11:18 +0100
Message-Id: <343E2E65-1FA5-4DB4-B597-6DCCEDC9CEE7@craigfrancis.co.uk>
To: WebAppSec WG <public-webappsec@w3.org>
Hi,

Is there a secure way to collect sensitive information (e.g. credit card numbers) though an iframe, if the parent page has been compromised?

I don't think there is, and I think Stripe, BrainTree (PayPal), WorldPay, etc are all pretending they have a secure system, when they really don't.

I've written up my notes at the following URL, but if you have any other comments/feedback, I'd really appreciate it (I'd like to contact the PCI Council again by the end of the week).

Craig



https://www.code-poets.co.uk/misc/security/pci-saq/ <https://www.code-poets.co.uk/misc/security/pci-saq/>
Received on Monday, 15 August 2016 13:11:49 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:21 UTC