Re: Iframes and credit card security from Patrick Toomey on 2016-08-15 (public-webappsec@w3.org from August 2016)

From: Patrick Toomey <patrick.toomey@github.com>
Date: Mon, 15 Aug 2016 17:15:55 +0000
To: Daniel Veditz <dveditz@mozilla.com>, Craig Francis <craig@craigfrancis.co.uk>
Cc: WebAppSec WG <public-webappsec@w3.org>
Message-ID: <CAN4Q8dAY9d8+b=Y8=EgifzCutTWk6unRoRR8CC6WWVYcy8POXQ@mail.gmail.com>

I’ve been told by folks that live in “compliance land” that you must
separate the notion of “logical” and “compliance”. Compliance is compliance
and little else. The solutions might very well make a site PCI compliant,
but they don’t necessarily mean much more than that. For example, some
providers have supported a solution like this:
https://www.braintreepayments.com/blog/client-side-encryption/. In this
scenario, the underlying assumption is that your application has not been
compromised and can’t be tricked into encrypting the CC details using some
attacker controlled public key. My understanding is that this solution was
acceptable for PCI compliance for quite a while (no clue on where that
stands today). In short, the best these solutions offer is prevention
against accidental mishandling of plaintext card numbers. In other words,
assuming you are not compromised, these kinds of solutions (iframe,
client-side encrypted, etc) provide reasonable assurance that plaintext
card numbers don’t get logged inside your infrastructure, etc. But, all of
these solutions fundamentally assume that your application hasn’t been
compromised (i.e. hasn’t been changed to just ask/log cards directly).

On Mon, Aug 15, 2016 at 11:03 AM Daniel Veditz <dveditz@mozilla.com> wrote:

> From a very narrow definition entering your payment details into a 3rd
> party iframe is "secure" from the parent frame--assuming the correct iframe
> has been opened! Stripe etc aren't going to get hacked, so I guess they're
> happy. You're right that this leaves users ripe for phishing.
>
> -Dan Veditz
>
> On Mon, Aug 15, 2016 at 6:11 AM, Craig Francis <craig@craigfrancis.co.uk>
> wrote:
>
>> Hi,
>>
>> Is there a secure way to collect sensitive information (e.g. credit card
>> numbers) though an iframe, if the parent page has been compromised?
>>
>> I don't think there is, and I think Stripe, BrainTree (PayPal), WorldPay,
>> etc are all pretending they have a secure system, when they really don't.
>>
>> I've written up my notes at the following URL, but if you have any other
>> comments/feedback, I'd really appreciate it (I'd like to contact the PCI
>> Council again by the end of the week).
>>
>> Craig
>>
>>
>>
>> https://www.code-poets.co.uk/misc/security/pci-saq/
>>
>>
>

Received on Monday, 15 August 2016 17:16:33 UTC