On This Page
Iframe Implementation
If you plan to embed
Secure Acceptance
in an iframe, ensure that
you follow the guidelines in this section. PayPal Express Checkout is not supported on a
Secure Acceptance
iframe integration.For the Payer Authentication 3-D Secure 2.x process, ensure that the
iframe is large enough to display the issuer's access control server (ACS) challenge
content (at least 390 x 400 pixels). For more information about ACS, see the Payer
Authentication guide.
You must select the single page checkout option for the
hosted checkout
iframe
implementation. See Checkout Configuration.The total amount value and the transaction cancel button are
not displayed within the iframe. Any settings that you configured for the total amount
figure are ignored. See Custom Checkout Appearance.
Cybersource
recommends that you manage the
total amount value on your website containing the inline frame. You must also provide
customers a cancel order functionality on your website containing the inline frame.Refer to PCI DSS v4 section 6.4.3 for more information on
how to secure iframes.
Clickjacking Prevention
Clickjacking (also known as user-interface redress attack and iframe overlay)
is used by attackers to trick users into clicking on a transparent layer (with malicious
code) above legitimate buttons or clickable content for a site. To prevent clickjacking,
you must prevent third-party sites from including your website within an iframe.
While no security remediation can prevent every clickjacking, developers must implement in
accordance with relevant industry standards and guidelines, such as PCI DSS and Open
Worldwide Application Security Project (OWASP) when using and securing iframes.
You are required to implement the recommended prevention techniques in your website. For
more information on PCI DSS and OWASP, see these websites:
Your developers must not use double framing on the same page
where the hosted checkout iframe implementation is used.
Web application protections for Cross-Site Scripting (XSS) must also be incorporated.
- For XSS protection, you must implement comprehensive input validation and the OWASP-recommended security encoding library to do output encoding on your website.
- For CSRF protection, you are strongly encouraged to use a synchronized token pattern. This measure requires generating a randomized token associated with the user session. The token will be inserted whenever an HTTP request is sent to the server. Your server application will verify that the token from the request is the same as the one associated with the user session.
Iframe Transaction Endpoints
For iframe transaction endpoints and supported transaction types for each endpoint, see Endpoints and Transaction Types.