IFrames: integrated safe rooms
In the e-commerce space, iFrames have become a popular option for merchants to maintain PCI DSS compliance and keep the checkout process accessible from inside their webpage. Hosted payment processors take on the complexity of compliance and merchants can tend to their business.
You can imagine an iFrame on your website like a safe room at the end of a hallway in your house. The manufacturer of the room assures you it is the best in the business and has given you easy instructions to implement the safe room. The integration is so well done, customers don’t even realize that the safe room is not actually a part of your house. When you use an iFrame, customers feel good about your security and trust you with their credit card, never knowing that you never even saw them. You feel secure knowing that you’ve side-stepped the risk of accepting payments on your own web server. You don’t collect, store, or transmit any card data. It all happens inside the iFrame–or “safe room”–away from prying eyes.
Then confusion, disbelief, and even anger ensue as you stare in shock at the Common Point of Purchase (CPP) notice from your acquirer. It simply cannot be you. You’re using an iFrame. You never even saw a credit card. Yet here you are, identified as the likely source of a credit card data breach. How did it happen?
A surge in iFrame hacks
Recently, SecurityMetrics forensic investigators have seen a surge in iFrame compromises. A lot of time and effort has gone into making the contents of payment iFrames more secure; there are tokenization schemes, drop-ins, hosted fields, iFrame specific security policies and other measures to ensure the card data remains unavailable to bad actors. But an iFrame is still just an HTML element rendered in the customer’s browser. A safe room in your house might give you some temporary security, but what happens if threat actors have unlimited access to attack the safe room? Hackers have not been idle in figuring out devious ways of extracting data from all those payment iFrames at the end of the hallway in your house.
At best, an iFrame is like a black box. Given enough time, a genius thief might succeed in figuring a way to get their malware into the box and capture the payment data from the inside. A lazy, clever thief might not bother with that much work.
There are many things a merchant can do to protect their payment iFrame, but at the end of the day, an iFrame is nothing more than an HTML element on a page, and if bad actors can access the element itself, it might not matter how well guarded the payment data is inside the element.
Merchants must approach their security to protect the iFrame element with as much gravitas as they do the credit card data being collected inside the iFrame.
Tips to avoid an iFrame Hack
The merchant usually has little, direct control of the security of a hosted checkout process. Thus, the hosting provider may or may not implement a full collection of important security controls to protect your card data. (i.e. critical function logs, AVS, SSL, hardened firewall configurations, vulnerability assessment scans and more).
It is your job as the merchant to fully vet the security compliance (including PCI DSS) of the payment host. In order to begin to improve your security, you may wish to consider the following:
- Protect your part of the castle with full compliance to the PCI DSS. Your own security efforts are still the front line guarding the payment iFrame, regardless of the security practices of the provider host.
- Keep bad actors off your website by finding and plugging vulnerabilities. Perform a vulnerability scan from an PCI ASV (PCI Approved Scan Vendor). You may need to work with your hosting company to address any discovered issues.
- For SecurityMetrics customers, technology providers can be added to your SecurityMetrics account to answer SAQ questions, review scan results, and initiate subsequent scans.
- Move to a web hosting solution that can be PCI DSS-validated, including the ability to provide you with full, PCI-compliant logs for your review, on demand.
- Upgrade your shopping cart solution and apply security patches immediately on release.
- Maintain an incident response plan and/or breach insurance.
What SecurityMetrics is doing to prevent iFrame hacks
SecurityMetrics will be contacting it’s customer base of merchants to offer promotions for ASV scans where they have not previously been required.
Additionally, SecurityMetrics has created a more reliable method to flag Magento 1.x within our vulnerability scan (ASV). Recently, Magento 1.x has too often been a primary factor in merchant breaches.
E-commerce payment security
While some aspects of the payment process may be “outsourced,” the merchant is ultimately responsible for protecting customer data. Education and awareness is an important first step in your cybersecurity and payment security compliance journey.
Prior to becoming a Forensic Analyst for SecurityMetrics, Aaron Willis acquired over 15 years of diverse experience in all aspects of IT security, risk assessment, business intelligence, data mining, SaaS consulting, and programming. In addition to being the VP of Technology and Information Systems at ScrapeGoat, Inc, Willis teaches Digital Forensics as an adjunct instructor at Utah Valley University. Willis holds a Bachelor’s in IT from the same school and a Master's in Digital Forensics from American Military University. He has been with SecurityMetrics as a PFI(PCI Forensic Investigator) since 2010.