There has long been a belief that, for an eCommerce web site, using a hosted pay page or on-page hosting via an iFrame places the responsibility for payment security at the door of the payment solution provider and insulates the merchant from the need to secure their web site environment against payment card fraud. Generally they are more secure and one of the best ways to avoid card compromise on your e-commerce site.

A hosted pay page is a payment page located outside a merchant's web site which allows customers to pay for goods or services during the checkout process. By clicking a "Buy Now" button a shopper is re-directed to a secure payment page hosted by the payment solution provider where they enter the necessary payment information. An on-page hosting model involves setting up a hosted pay page directly on the merchant web site via an iFrame. Customers are not redirected off the merchant's web site to enter their details, but the payment page data is directed from the customer's browser directly to the payment solution providers server.

However, during a recent investigation, I identified that an on-page hosting solution is also open to fraud by malicious agents. The merchant in question used an iFrame provided by Secure Trading to process payments on their eCommerce web site. An attacker was able to access the merchant's eCommerce platform database and add an entry to present a malicious iFrame (below) to harvest payment card data prior to presenting the genuine iFrame:

On completing the malicious iFrame and selecting 'Pay Securely' the payment card data is exfiltrated to the attacker's website and the customer is presented with the following screen:

On selecting 'OK' the customer is presented with the genuine iFrame and proceeds to complete the payment process, assuming that a benign error occurred on the first attempt:

The above indicates that implementing a hosted pay page or an on-page hosting model does not absolve the merchant of responsibility for the security of card payments. Attackers can implement their own iFrame or presenting a payment card confirmation screen before redirecting a customer to the hosted pay page. 

If you require specialist security advice, contact 3B Data Security.