[lucb1e]

> we don't want to redirect them to another website

As a security consultant and user, I would prefer actually seeing whoever processes my data for a few reasons:

- I know who gets my data; it is not sent to them in the background and one can only find out through legalese (if at all, since "a payment processor" is all you're legally obliged to say)

- Payment data processed by a third party is likely more secure than an average-sized web shop (even if you just proxy it, a hack can impact that but it couldn't impact paypal's security without messing with the URL, which the user could observe (and if you say "but you're a security dude" yeah, but I also teach others to do the same and I've seen companies train their users on the concept of a domain followed by a slash, it isn't hard))

- I know what many of those companies' security reputation is

- And I may know the general reputation of the company, e.g. PayPal has a rich history of issues with both merchants and users so I would rather go back and choose another option if possible