[trungonnews]

If you're going to advertise Recurly as a secured payment product, then you need to do everything you can to prevent third parties and the merchant from peeking at your credit card form.

On any given web page, it can easily bring in 10 or more external JS libraries. So the chance of one of them getting compromised can only go higher. You need to make sure that your product can survive a cross site scripting attack.

And you need to protect your product against your own merchant because those misbehaved merchants can give your business a bad name. Let them steal their users' credit card, but just don't let them steal it from Recurly's credit card form...

You could have solved these two security issues if you spend a little more effort and put the credit card form inside Recurly owned iframe. But I guess your engineering team took a short cut. :)

[emery]

An iframe is no more secure than Recurly.js.

First of all, the biggest concern is attack surface. If credit cards went through your server, any complex web application would have a number of locations where the CC would be logged in plaintext. In this case a compromise would not only make it possible to collect new credit cards as they are entered into the system, but also past credit cards in logs. Any of the three options: iframes, hosted pages, and recurly.js, reduce this attack surface, because credit cards never pass through your backend to be logged, and the Recurly backend being PCI level 1, clearly prevents them from ever being logged.

Now, if say your web application was vulnerable to a XSS attack on one of your payment pages, it would be just as easy to replace the iframe src, and spoof the CC processor's hosted page, as it would be to drop in some js that reads the value of input fields and tunnels them out to the attacker. On that note... even an integration as seemingly foolproof as linking to a third party hosted page is vulnerable to the same attack, by replacing the href of the link.

The takeaway is that Recurly.js removes as much of the PCI scope as we possibly could without us building and hosting your entire website. Also, watch out for XSS attacks, and don't let your server get rooted.

[grimen]

Yes in fact the iframe is the only way of doing it securely with the current web specs. ...and it can in fact be done almost completely seamless for the end user, with lil bit of hacking.

[trungonnews]

yup. it's a bitch getting the iframe to resize when the credit card form shrinks or grows.

[simonw]

It's not impossible though. One method of doing that is to use the trick where an iframe can communicate with its parent document by altering the #fragment URL, which can be read by both parties. It's dirty but it works. The new HTML5 postMessage API can be used as an alternative for browsers that support it.

[alanh]

I didn’t even realize postMessage was a new API. It works in everything newer than IE7. http://caniuse.com/#x-doc-messaging

[grimen]

haha, yes that too. I was refering to secure payments where the host site can affect he layout of payments but not the secret details. Yes you can do that if being creative. :)