- From: Daniel Veditz <dveditz@mozilla.com>
- Date: Mon, 15 Aug 2016 10:00:58 -0700
- To: Craig Francis <craig@craigfrancis.co.uk>
- Cc: WebAppSec WG <public-webappsec@w3.org>
Received on Monday, 15 August 2016 17:01:27 UTC
>From a very narrow definition entering your payment details into a 3rd party iframe is "secure" from the parent frame--assuming the correct iframe has been opened! Stripe etc aren't going to get hacked, so I guess they're happy. You're right that this leaves users ripe for phishing. -Dan Veditz On Mon, Aug 15, 2016 at 6:11 AM, Craig Francis <craig@craigfrancis.co.uk> wrote: > Hi, > > Is there a secure way to collect sensitive information (e.g. credit card > numbers) though an iframe, if the parent page has been compromised? > > I don't think there is, and I think Stripe, BrainTree (PayPal), WorldPay, > etc are all pretending they have a secure system, when they really don't. > > I've written up my notes at the following URL, but if you have any other > comments/feedback, I'd really appreciate it (I'd like to contact the PCI > Council again by the end of the week). > > Craig > > > > https://www.code-poets.co.uk/misc/security/pci-saq/ > >
Received on Monday, 15 August 2016 17:01:27 UTC