Many merchant's and web developers are under the impression that simply by implementing a redirected payment method (iFrame or fully hosted payment page) to their eCommerce environment customers payment card data is completely safe and security is no longer a concern.
This can be a terrible trap to fall into leading to a potential breach, followed by costly investigations and fines. These payment methods rely heavily on the security of the web site from which they redirect and as such PCI DSS compliance is still applicable to these merchants and their developers.
The Foregenix Digital Forensics and Incident Response team investigated earlier this year a web site where a lack of appropriate security controls led to the introduction of sophisticated malicious code which breach the iFrame payment model of a major UK payment service provider, by performing a Man-In-The-Middle-Attack.
Merchant's and developers must keep security at the forefront when creating and managing eCommerce environments, ensuring that the minimum PCI DSS standards are adhered to. Foregenix' own eCommerce security solution can assist reaching the complete security posture required to prevent these increasing payment data breaches.
ECommerce businesses have been advised to implement hosted payment pages from their payment service provider, or utilise a redirect payment via iFrame. In so doing they are considered significantly more secure than alternatives, warranting a reduced PCI DSS validation questionaire. The message reaching much of the market is that if you use one of these proposed payment options on yoru website, you don't need to worry about security. This is NOT correct.