Is it safe use an iframe for a payment?

Question

I have this question: is safe use an iframe to load the page where the customer will do the payment. For example paypal or DineroMail or the page that does the credit card payment. Because My boss wants that the customer feels that never leaves the site so in my site I added an iframe (and inside this I load the url of the payment) but don't know if is correct and safe or no.

Thanks.

Answer 1

I have been through this several times with many clients. A lot of it has to do with 1)he isnt comfortable with a customer leaving his site in fear the checkout wont occour or 2) its a pride thing that he wants clients to feel all the services can be performed in site.

One of the things that your boss needs to understand is that people like using paypal because they are trusted and its a familiar process to them. He needs to know that not only are people ok with being redirected to paypal, but they expect it. If I where to run into a site where they checked me out in an iFrame on paypal it would be a red flag for me. Why? Because with the redirect I can see the address bar. I know that Im at paypals site and I can see if its a secure connection.

If he is dead set on a customer never leaving a site. He needs to do something like paypal payments pro. This is probably the solution he really wants.

EDIT

I found your answer answer when dealing with the same issue myself last weekend and wanted to come back with something better!

Its called flex and its apart of the adaptive payments classic api. Which will take an additional application process which your boss may fee is well worth it.

https://developer.paypal.com/docs/classic/adaptive-payments/integration-guide/APIntro/

Head about 3/4 of the way down and youll see step by step instructions to do exactly what your loooking for. A secure paypal iframe.

Quick tip: If you have to incorporate it in your own processes simply do the following.

1) obtain your paykey after sending the request to paypal. 2) call in the javascript source as in the tutorial. 3) redirect the window manually as opposed to their created paypal button. aka https://www.paypal.com/webapps/adaptivepayment/flow/pay?paykey=YOURPAYKEY

another good source is : https://www.paypalobjects.com/webstatic/en_US/developer/docs/pdf/pp_adaptivepaymentsmobile.pdf

Answer 2

It is safe if Paypal allow it, but you have to be careful from a UI point of view.

If your site is loaded over http and you load the IFrame within your site, it appears to the user not to be secure even though the IFrame is loaded over https. This approach is also vulnerable to a MiTM attack as an attacker could intercept and change the IFrame URL to something like http://www.evil.com and nobody would be the wiser at the time of entering the card details.

If your site is loaded over https your customer has to trust you with their card details as they cannot be sure that the IFrame is actually pointing to the Paypal domain on https (https://www.paypal.com) and not your site. Yes they could right click and check the source, but this is a step too far for most users and technically an evil site could swap the IFrame for an evil version without the customer noticing.

My recommendation is to actually redirect to https://www.paypal.com because then it is shown in the address bar with a padlock and reassures users that they are giving their details to Paypal and nobody else.

Answer 3

From a technical security point of view (Same Origin Policy), it is exactly as safe to open an iframe as it is to open a new tab.

From a UI point of view, opening an iframe in certain locations can deceive the user and you might be accused of trying to clickjack the user into making an inadvertent payment if you are not careful.

I cannot say anything about PayPal's own policy, but you should make sure they are okay with it.