Re: Guidance regarding secured/hosted fields for PCI (Payment Card Industry) Compliance

Using iframes typically reduces security, because you do not see the 
chrome that confirms the web site that originated the frame.  I will 
always request a separate window for Paypal entry boxes, to ensure that 
I can see they are coming from Paypal.

What do the hosted fields you are talking about here do to ensure that 
the user knows that they can be trusted.  Are they only ever  used on 
sites that already trusted, and submit to that site?

On 19/11/2018 16:25, Beth Martin wrote:
> Hello,
> 
> I'm looking for some additional guidance regarding secure fields needed 
> for PCI (Payment Card Industry) compliance for ecommerce.  Payment 
> providers now offer a solution for a higher level of conformance where 
> each payment field (credit card number, CVV, and expiration date) is a 
> DOM-injected iframe, comprising of a `label`, `input`, error validation, 
> styling, and focus management.  These iframed fields are referred as 
> "secure fields" or "hosted fields".
> 
> We are working with our payment provider to improve their markup, 
> however, if they followed all form and iframe related guidelines, would 
> there be any other concerns regarding accessibility?
> 
> Thanks!
> 
> Beth Martin

Received on Tuesday, 20 November 2018 11:37:20 UTC