Re: Guidance regarding secured/hosted fields for PCI (Payment Card Industry) Compliance

I am unclear on the security benefits behind hosted fields.  Our front-end
team was asked to review a new payment gateway from Ayden.  While auditing,
we uncovered the use of iframes for each payment field, along with clear
accessibility issues.  Upon further research, we realized that other
payment providers such as Shopify, Stripe, Braintree, and BlueSnap were
also using hosted fields to mitigate PCI compliance scope.  Our team is
looking for guidance on this new standard for implementation within
eCommerce and its impact on accessibility.

On Tue, Nov 20, 2018 at 6:43 AM David Woolley <forums@david-woolley.me.uk>
wrote:

> Using iframes typically reduces security, because you do not see the
> chrome that confirms the web site that originated the frame.  I will
> always request a separate window for Paypal entry boxes, to ensure that
> I can see they are coming from Paypal.
>
> What do the hosted fields you are talking about here do to ensure that
> the user knows that they can be trusted.  Are they only ever  used on
> sites that already trusted, and submit to that site?
>
> On 19/11/2018 16:25, Beth Martin wrote:
> > Hello,
> >
> > I'm looking for some additional guidance regarding secure fields needed
> > for PCI (Payment Card Industry) compliance for ecommerce.  Payment
> > providers now offer a solution for a higher level of conformance where
> > each payment field (credit card number, CVV, and expiration date) is a
> > DOM-injected iframe, comprising of a `label`, `input`, error validation,
> > styling, and focus management.  These iframed fields are referred as
> > "secure fields" or "hosted fields".
> >
> > We are working with our payment provider to improve their markup,
> > however, if they followed all form and iframe related guidelines, would
> > there be any other concerns regarding accessibility?
> >
> > Thanks!
> >
> > Beth Martin
>
>
>
>