PCI DSS iframe Integration
Last updated June 26, 2025
When you use an iframe to process payments, you create a secure conduit between your end users and your payment provider.
In accordance with Vercel's shared responsibility model, this approach facilitates:
- Data isolation: The payment card information entered in the is isolated from Vercel’s environment and does not pass through Vercel's managed infrastructure
- Direct data transmission: Information entered in the is sent directly to your payment processor so that Vercel never processes, stores, or has access to your end users’ payment card data
- Reduced PCI DSS scope: With isolation and direct data transmission, the scope of PCI DSS compliance is reduced. This simplifies compliance efforts and enhances security
-
Select a payment provider that offers the following:
- End-to-end encryption
- Data tokenization
- Built-in fraud detection
- 3DS authentication protocol
- Compliance with latest PCI DSS requirements
-
Embed the provider’s in your application’s payment page
This is an example code for a payment processor's :
The attribute and its values are often required by the payment processor:
- : Enables form submissions in the , essential for payment data entry
- : Allows the to change the full page URL. This is useful for post-transaction redirections
- : Permits the to interact with resources from the hosting page's origin. This is important for functionality but slightly reduces isolation
Was this helpful?