[wolff]

The same can be said for Quantum Gateway, as I think was stated earlier in this thread...

Regarding SEO: I'm not sure any of this matters in regards to SEO - All I'm talking about is the actual collection of the credit card data - an iFrame imbedded at a specific point in the payment page itself.

I have been watching a number of different cart forums regarding the whole PA-DSS issue, and it seems clear to me that the vast majority of them (especially the open source, of course) will not be compliant to this standard by the deadline, if at all.

Should that be the case, users of these carts will need to either embrace a third party gateway - which many contest will reduce sales due to the redirection to a different site - or find a PA-DSS solution, which means abandoning the cart they are invested in.

In many of these forums, the topic of iFrame comes up because it technically solves both problems - eliminates the application compliance requirement, as well as the problem of lost sales due to the user being diverted to another site.

I was initially turned off to the thought - but what has peaked my interest is the fact that certain gateways are specifically offering this as a solution now, complete with API's.

It seems that among all of the discussion, not many have gone this direction as of yet, and I am really interested in the pluses and minuses. The technology is obviously there, but...

1) Are there anti-iFrame technologies or certain browser settings that would cause the iframe to not show - and if so, can they be detected such that a normal redirect becomes the failsafe?

2) Is there a javascript solution, either using iFrames or as an alternative to them - such as how the commonly accepted Flash integration method works - that might make this concept more widely accepted, and have the redirect become the failsafe if no javascript detected?

3) Does having an iFrame invite site hacking, or automatically lower security such that an injection is more likely? I really question this when considering the fact that a number of gateways are promoting this as a valid solution.

Overall, it seems this method deserves more attention, if at the very least to provide an alternative to consider...

As an aside, I am really wondering why 3rd party gateways still create a reduction in sales - after all, in the beginning, these were relative unknowns, and getting redirected at the point of sale seemed insecure. If I recall, redirection attacks were just in their infancy at the time, so the concerns were certainly valid. But now, many are very well known, paypal, google, amazon, etc. and in light of all of the compliance & cc issues, it would seem some of these would become more accepted to the public than remaining within a site that may or may not be following the proper security practices. The dynamics have changed, and the attacks are coming at the server level, behind the scenes. But from everything I'm reading, it doesn't seem to be playing out that way... ???