Introducing Iframe Integrity: Redefining Payment Page Security for PSPs

At Jscrambler, innovation often starts with a simple conversation, and the story of our latest product, Iframe Integrity, is no different.

It was October 2023, and I was attending the PCI SSC Community Meeting in Dublin. Between presentations and panels, I found myself in conversation with QSAs and PSPs, discussing one of the industry’s emerging challenges: how can small merchants (Level 3 and Level 4) realistically comply with PCI DSS 4.0 requirements 6.4.3 and 11.6.1? Many of these merchants lack the resources, expertise, or even the interest to manage the complexity of script management and security monitoring. Yet, the threat of skimming attacks was more present than ever.

As we shared ideas and concerns over coffee, one suggestion emerged: could Payment Service Providers, Payment Processors, and Ecommerce Gateways (from now on, I'll refer to these as PSPs, to simplify) step in to help, just as they did in previous PCI DSS versions with the introduction of the iframed payment page? But this time, there was a significant catch. Maintaining script inventories and responding to alerts for thousands of merchants would be unmanageable for PSPs.

This challenge became the seed for what would grow into Iframe Integrity.

Understanding the Threat Landscape

We set out with a clear goal: design a solution that requires no involvement from the merchant and that addresses iframe skimming attacks using a risk-based, highly effective approach.

We began by methodically identifying every known attack vector against iframed payment pages — silent skimming, double-entry attacks, iframe hijacking, overlays, fake iframes, fake forms, and function hijacking. Ultimately, these attacks fall into three main categories:

1. Direct interference with the payment iframe, such as iframe hijacking or tampering to redirect it to an attacker-controlled endpoint.

2. Indirect interference, where attackers overlay fake iframes or forms to deceive users or tamper with the payment flow.

3. Interference with security controls, attempting to weaken or bypass detection mechanisms through techniques like function hijacking.

Launching Iframe Integrity

Our solution combined the best of Jscrambler’s technology. We leveraged our Webpage Integrity agent with a configuration designed to detect and block any code behavior that could compromise the integrity of the iframe. But we knew this wouldn’t be enough. We also needed Code Integrity to protect privileged scripts, such as the PSP’s script responsible for creating the payment iframe, from tampering and monkey patching. Together, these components formed a robust, multi-layered defense that could meet the intent of 6.4.3 and 11.6.1 without imposing a heavy operational burden on merchants and PSPs.

The product beta was called Armored Iframe, and throughout the past year, we tested and refined it with key industry players while bringing on happy customers.  Then came the industry confirmation: changes to SAQ A eligibility criteria and the clarifications in PCI SSC’s FAQ 1588 that PSPs and PayFacs would need to help their merchants confirm that they are not susceptible to attacks from merchant-side scripts. This is when we knew there would be a momentous shift in the market. This industry shift made it crystal clear that iframe hardening was no longer optional — it was essential.

Today, we are proud to officially launch Iframe Integrity as a core component of the Jscrambler product suite. Iframe Integrity allows PSPs to offer PCI DSS compliance (requirements 6.4.3 and 11.6.1) and SAQ A eligibility to their merchants, shielding their payment pages from sophisticated skimming attacks and ensuring trust and security at every transaction.

Built on Foresight and Expertise

At Jscrambler, we’ve always taken pride in seeing around corners. Before PCI DSS 4.0 even existed, we had already built and launched Webpage Integrity, anticipating that the industry would demand tighter client-side controls. When requirements 6.4.3 and 11.6.1 were introduced, adding a PCI DSS module was a natural extension, validating that we were already ahead of the curve.

The same story repeated itself with Iframe Integrity. Long before SAQ A changes and FAQ 1588 were published, we had already envisioned and built the solution. What started as Armored Iframe is now officially launched as Iframe Integrity — the industry’s first comprehensive iframe hardening product.

This is more than a product launch. It’s another clear demonstration of Jscrambler’s leadership and vision. We don’t just react to changes in the payments and security industry — we anticipate them, build for them, and help shape the future. With Iframe Integrity, we’re once again leading from the front, redefining what security looks like in the web payments ecosystem.