On This Page

Iframe Implementation

If you plan to embed Secure Acceptance in an iframe, ensure that you follow the guidelines in this section. PayPal Express Checkout is not supported on a Secure Acceptance iframe integration.

For the Payer Authentication 3-D Secure 2.x process, ensure that the iframe is large enough to display the issuer's access control server (ACS) challenge content (at least 390 x 400 pixels). For more information about ACS, see the Payer Authentication guide.

You must select the single page checkout option for the

hosted checkout

iframe implementation. See Checkout Configuration.

The total amount value and the transaction cancel button are not displayed within the iframe. Any settings that you configured for the total amount figure are ignored. See Custom Checkout Appearance.

Cybersource recommends that you manage the total amount value on your website containing the inline frame. You must also provide customers a cancel order functionality on your website containing the inline frame.

Refer to PCI DSS v4 section 6.4.3 for more information on how to secure iframes.

Clickjacking Prevention

Clickjacking (also known as user-interface redress attack and iframe overlay) is used by attackers to trick users into clicking on a transparent layer (with malicious code) above legitimate buttons or clickable content for a site. To prevent clickjacking, you must prevent third-party sites from including your website within an iframe.

While no security remediation can prevent every clickjacking, developers must implement in accordance with relevant industry standards and guidelines, such as PCI DSS and Open Worldwide Application Security Project (OWASP) when using and securing iframes.

You are required to implement the recommended prevention techniques in your website. For more information on PCI DSS and OWASP, see these websites:

PCI DSS v4

OWASP website

OWASP Clickjacking Defense Cheat Sheet

OWASP Cross Site Scripting Prevention Cheat Sheet

Your developers must not use double framing on the same page where the hosted checkout iframe implementation is used.

Web application protections for Cross-Site Scripting (XSS) must also be incorporated.

For XSS protection, you must implement comprehensive input validation and the OWASP-recommended security encoding library to do output encoding on your website.

For CSRF protection, you are strongly encouraged to use a synchronized token pattern. This measure requires generating a randomized token associated with the user session. The token will be inserted whenever an HTTP request is sent to the server. Your server application will verify that the token from the request is the same as the one associated with the user session.

Iframe Transaction Endpoints

For iframe transaction endpoints and supported transaction types for each endpoint, see Endpoints and Transaction Types.