How can I safely make use of third-party services on my payments page?

There are safer ways to provide third-party resources decreasing the risks described in our article on using third-party resources on my payments page, which your security team should evaluate before and after any implementation:
• Embedding external content (such as chat tools or even limited functionality page analytics) in iFrames
• Hosting the Javascript, fonts, image files, etc. within your PCI DSS scoped service (such as the HPP skin)
• Embedding localized payments pages that contain static content in your HPP skin or in your CSE or Checkout page environment

To track shoppers through the flow (for example using Google Analytics) without embedding web analytics code in your HPP skin, use the merchantReturnData field.

Any third-party hosted service or resource that is not securely embedded in an iFrame, or not entirely stored in the HPP skin, must be from a listed PCI DSS Level 1 or 2 Service Provider, and this provider must be listed in your current SAQ.

If you must embed third-party resources in your payments page, you can also move to a Checkout SDK or Checkout API integration with secure fields. This uses sensitive fields in iFrames to protect payment data.


Was this article helpful?
0 out of 1 found this helpful