IFrames – to use or not to use

Posted On: Friday, April 16th, 2021

The discussion on the use of iframes is back! Using an iframe to display the challenge windows has always been a popular option.

But PCI regulations introduced over the years created problems in particular because the main page and the iframe sources are different.

These security concerns are legitimate; both the ACS and the Merchant have reasons to be wary of the security implications of an iframe and the risk of java scripts to execute across iframes and code injection.

In addition, the standard html page headers that a web server would return in order to be PCI compliant (and for many to get successful PCI penetration testing completed) will interfere with the ACS challenge page when displayed in an iframe.

Another problem is the size of the iframe, and general settings for the iframe element. With so many ACS systems and so many implementations, problems are inevitable.

EMVCo has been consulting with the PCI council and is now taking the first steps to address these problems by providing guideline settings.  These include:

a. The use of custom headers for the ACS pages.

b. In Version 2.0 a field was introduced called challengeWindowSize. This field has five values corresponding to a challenge window sizes of: 01 = 250 x 400, 02 = 390 x 400, 03 = 500 x 600, 04 = 600 x 400, 05 = Full screen. This allows the ACS to render a page that formats neatly into these dimensions. This also means that the iframe page must be one of the four sizes or the settings should be sent as a full page.

It is important therefore to allow merchants to send the challengeWindowSize field corresponding to their settings and that this is passed on to the Endeavour 3DServer.

The ultimate scope of 3DSecure is to give cardholders security combined with a good customer experience.

Endeavour is delivering very high rates of frictionless authentication and we expect the percentage of frictionless authentication to continue to outperform industry standards.

But for those cases where a challenge is required, rendering the challenge window correctly using  an iframe, lightbox or as a full page is vital.

Full support for major card brands and banks

Making eCommerce Safe

Be in the know

Industry news, events and major releases.

Important Updates for Visa, MasterCard and Amex for November 2021
Posted on: Friday 26th November, 2021

Visa, MasterCard and Amex all announced the sunset dates for 3DSecure Version 1.0.2 with other important dates and exceptions.

Meet us at Money2020 USA between October 24th and 27th 2021.
Posted on: Tuesday 19th October, 2021

Endeavour will be exhibiting at the Money2020 USA in Las Vegas being held between October 24th and 27th at the Venetian.

Mastercard will mandate EMV 3DS v2.2 in European Region
Posted on: Monday 11th October, 2021

MasterCard sets the road map for V2.2 aiming to improve frictionless authentication, improve user experience for out-of-band, improve UX and performance and introduce Message enhancement for Acquirer Exemptions amongst other objectives.

Here to help

Questions? We've got answers.

Kindly note that we do not support cardholders wanting to activate 3D Secure on their card. Please contact your bank directly using the phone number provided on the back of your card.