IFrames – to use or not to use

Posted On: Friday, April 16th, 2021

The discussion on the use of iframes is back! Using an iframe to display the challenge windows has always been a popular option.

But PCI regulations introduced over the years created problems in particular because the main page and the iframe sources are different.

These security concerns are legitimate; both the ACS and the Merchant have reasons to be wary of the security implications of an iframe and the risk of java scripts to execute across iframes and code injection.

In addition, the standard html page headers that a web server would return in order to be PCI compliant (and for many to get successful PCI penetration testing completed) will interfere with the ACS challenge page when displayed in an iframe.

Another problem is the size of the iframe, and general settings for the iframe element. With so many ACS systems and so many implementations, problems are inevitable.

EMVCo has been consulting with the PCI council and is now taking the first steps to address these problems by providing guideline settings.  These include:

a. The use of custom headers for the ACS pages.

b. In Version 2.0 a field was introduced called challengeWindowSize. This field has five values corresponding to a challenge window sizes of: 01 = 250 x 400, 02 = 390 x 400, 03 = 500 x 600, 04 = 600 x 400, 05 = Full screen. This allows the ACS to render a page that formats neatly into these dimensions. This also means that the iframe page must be one of the four sizes or the settings should be sent as a full page.

It is important therefore to allow merchants to send the challengeWindowSize field corresponding to their settings and that this is passed on to the Endeavour 3DServer.

The ultimate scope of 3DSecure is to give cardholders security combined with a good customer experience.

Endeavour is delivering very high rates of frictionless authentication and we expect the percentage of frictionless authentication to continue to outperform industry standards.

But for those cases where a challenge is required, rendering the challenge window correctly using  an iframe, lightbox or as a full page is vital.

Full support for major card brands and banks

Making eCommerce Safe

Be in the know

Industry news, events and major releases.

Recurring Transactions, Merchant Initiated Transactions and Stored Credentials
Posted on: Thursday 23rd June, 2022

The subscription model has gained in popularity but as anyone with experience with these type of payments knows, the model can lead to disputes through lack of clarity, misuse or poor management.

Visa guidelines for mandatory rolling out of EMV 3DSecure for Asia Pacific
Posted on: Wednesday 4th May, 2022

Visa has issued guidelines for rolling out of EMV 3DS for the Asia Pacific Region. Countries covered: Australia, Cambodia, Hong Kong, India, Indonesia, Macau, Malaysia, New Zealand, Philippines, Singapore, Hong Kong, South Korea, Taiwan, Thailand and Vietnam.

Visa & Mastercard Mandate: Impacts of the 8-Digit BINs Extension
Posted on: Monday 28th February, 2022

Important changes to BIN codes, the lynch pin of credit card payments.

Here to help

Questions? We've got answers.

Kindly note that we do not support cardholders wanting to activate 3D Secure on their card. Please contact your bank directly using the phone number provided on the back of your card.