SecurityMetrics Forensic Team Reports New iFrame Payment Gateway Attack Vector


iFrames are a popular option for e-commerce merchants to maintain PCI DSS compliance. iFrames allow payment processors to take on the complexity of compliance and merchants can tend to their business.

But as more merchants move to iFrames, so do hackers. SecurityMetrics forensic investigators have recently found new sophisticated iFrame attacks that are leading to merchant e-commerce credit card theft.

A lot of time and effort has gone into making the contents of payment iFrames more secure and ensuring the card data remains unavailable to bad actors. However, an iFrame is still an HTML element rendered in the customer’s browser.

“All an attacker needs to do is find any area of the website or the customer’s browser where they can execute JavaScript commands against the iFrame tag,” said Aaron Willis (PFI, CISSP, QSA, Senior Forensic Analyst at SecurityMetrics).

SecurityMetrics has contacted their customers about this issue and is offering promotions for vulnerability scans to help merchants keep their data and their reputation safe.

Also Read:  Seventy-one percent of Companies Investing in ABM result in Higher ROI, says Report

E-commerce merchants should know that iFrame payment gateways are not totally secure, and can do the following to work on their security posture:

  • Perform a vulnerability scan from an PCI Approved Scan Vendor (PCI ASV) and work with hosting companies to address any discovered issues.
  • For SecurityMetrics customers, technology providers can be added to a customer account to answer SAQ questions, review scan results, and initiate subsequent scans.
  • Move to a web hosting solution that can be PCI DSS-validated.
  • Upgrade your shopping cart solution.
  • Maintain an incident response plan.

For more such updates follow us on Google News TalkCMO News.