info@3dsecurempi.com
+44.(0).870.490.8278
Endeavour 3D Secure MPI Logo
Endeavour 3D Secure MPI Logo
Contact

IFrames – to use or not to use

Posted On: Friday, April 16th, 2021

The discussion on the use of iframes is back! Using an iframe to display the challenge windows has always been a popular option.

But PCI regulations introduced over the years created problems in particular because the main page and the iframe sources are different.

These security concerns are legitimate; both the ACS and the Merchant have reasons to be wary of the security implications of an iframe and the risk of java scripts to execute across iframes and code injection.

In addition, the standard html page headers that a web server would return in order to be PCI compliant (and for many to get successful PCI penetration testing completed) will interfere with the ACS challenge page when displayed in an iframe.

Another problem is the size of the iframe, and general settings for the iframe element. With so many ACS systems and so many implementations, problems are inevitable.

EMVCo has been consulting with the PCI council and is now taking the first steps to address these problems by providing guideline settings.  These include:

a. The use of custom headers for the ACS pages.

b. In Version 2.0 a field was introduced called challengeWindowSize. This field has five values corresponding to a challenge window sizes of: 01 = 250 x 400, 02 = 390 x 400, 03 = 500 x 600, 04 = 600 x 400, 05 = Full screen. This allows the ACS to render a page that formats neatly into these dimensions. This also means that the iframe page must be one of the four sizes or the settings should be sent as a full page.

It is important therefore to allow merchants to send the challengeWindowSize field corresponding to their settings and that this is passed on to the Endeavour 3DServer.

The ultimate scope of 3DSecure is to give cardholders security combined with a good customer experience.

Endeavour is delivering very high rates of frictionless authentication and we expect the percentage of frictionless authentication to continue to outperform industry standards.

But for those cases where a challenge is required, rendering the challenge window correctly using  an iframe, lightbox or as a full page is vital.

Full support for major card brands and banks

Making eCommerce Safe

Let's Get In Touch

Be in the know

Industry news, events and major releases.

Our Blog
Let’s meet at Money2020
Let’s meet at Money2020
Posted on: Friday 31st May, 2024

Let's talk payments in Amsterdam!

Continue reading...
See you at Seamless Middle East 2024, Dubai World Trade Centre
See you at Seamless Middle East 2024, Dubai World Trade Centre
Posted on: Thursday 9th May, 2024

Endeavour 3DSecure - Authentication done right!

Continue reading...
Meet us at MRC in Barcelona
Meet us at MRC in Barcelona
Posted on: Wednesday 17th April, 2024

Endeavour 3DSecure and Tokenization, your trusted companion in payments.

Continue reading...

Here to help

Questions? We've got answers.

Kindly note that we do not support cardholders wanting to activate 3D Secure on their card. Please contact your bank directly using the phone number provided on the back of your card.

©2020 Endeavour Internet Business Solutions Ltd. All Rights Reserved.