Page 26 - GS210402
P. 26
CoverStory
"Transmitting, processing and storing sensitive data is a Another benefit of iFrame is that it delivers frictionless
huge risk, and appropriate controls must be identified to checkouts without redirecting shoppers to a payment
reduce the risk to an acceptable level," Foregenix research- page, Estes stated. Instead, they can check out on the mer-
ers wrote. "If a malicious actor has access to encrypted chant's website within an integrated space that reflects
sensitive data and has no access to the decryption key, the the merchant's color and branding. Channel partners can
sensitive data is of no value to the attacker. In certain use choose self-hosted, ICG-hosted and semi-integrated iF-
cases, similar risk reduction with less complexity can be rame implementation models, she noted.
achieved by using data tokens."
Estes went on to say that the iFrame solution ranks highly
Embedded payment pages with ISV referral partners who want to control the user ex-
Encryption and tokenization are commonly used to pro- perience while staying out of PCI scope. Using the iFrame
tect transactions in PIN pads, ATMs and physical points of gives them that desired look and flow, enabling them to
interaction. These methods also protect mobile and digi- maintain a positive user experience while seamlessly in-
tal commerce, Foregenix researchers noted, citing iFrame tegrating ACH and credit cards into their application, she
technology as an example. pointed out, adding that these capabilities help ICG part-
ners and clients stay in compliance with standards and
"An iFrame (or Inline Frame) is a method of seamlessly rule changes as updated.
embedding a web page within another web page - the iF- Software-based, hardware-driven
rame becomes a frame for displaying another web page,"
researchers wrote. "iFrames provide 'sandboxing' to iso- Justin Pike, founder and chairman of MYPINPAD, a global
late the content of the embedded frame from the parent provider of secure authentication solutions, noted that his
web page, thus ensuring that information is not accessible service offering is software-based with hardware compo-
or cannot be manipulated through various exploits by ma- nents. "When the PCI SSC published the software-based
licious individuals." PIN entry on commercial off-the-shelf solutions (SPoC)
specification in 2018, it enabled payments to be taken on
Ruston Miles, founder and advisor at technology provider connected devices rather than boxes," Pike said. SPoC has
Bluefin, noted that ShieldConex uses hosted fields within significantly reduced related complexities and costs of
hidden iFrame technology to capture and encrypt sensi- payments acceptance, he added.
tive data. The solution uses the same HSMs as Bluefin's
hardware-based PCI-validated P2PE solution. This brings In a similar way, MYHSM, a former sister company of
the same standard of encryption and key management to MYPINPAD, developed a SaaS-based solution for manag-
the digital world that merchants and service providers ing hardware secure modules. The company was acquired
have come to rely on in the physical world, he stated. in 2020, by global technology leader Utimaco. Stefan Auer-
bach, chief executive officer at Utimaco, called MYHSM a
"The merchant and consumer are not vulnerable in any leading provider of Payment HSM as a Service.
way," Miles said. "And if merchants ever want to do any-
thing with the data, they can give it to the payment gate- "Utimaco recently introduced our next-generation high
ways and processors connected to us, and they'll go off performance HSM platform called u.trust Anchor," Auer-
and process it, because they have that special connection bach said. "[The solution] reduces complexity in HSM in-
to Bluefin behind the scenes to go off and revalue the data." stallations, solves the challenges of cloudifying HSMs and
gives cloud service providers and enterprise customers
iFrame benefits, methodologies scalability and elasticity to add both payment and general
Estes observed that iFrame offers a secure alternative to purpose HSM applications/services that usually require
managing and storing sensitive data. The company's PCI- different hardware."
compliant, proprietary iFrame encrypts data in transit and Stakeholder benefits
at rest in servers around the country, she stated, using the
latest industry standards. Reflecting on POS technology evolution, Pike mentioned
that recent changes are positively impacting stakeholders
"Embedding the iFrame inside a website or application across the entire commerce value chain. He offered these
eliminates having any actually keyed and stored financial examples:
data on a merchant's servers," Estes said. "Tokenizing the • Consumers: Consumers can use a multifunctional
customer's information creates a pathway where only the front-end device, such as a smartphone or tablet, to
encrypted token is stored on the merchant's server, not manage payments, which eliminates the need for
other vital actual payment information. This enables them single-use hardware like a POS terminal. They can
to store that payment method on file in their system to use also change the PIN on their payment card without
for recurring, autopay or one-time transactions without having to visit an ATM or bank branch.
actually storing or transmitting their customers' data on
their servers at any point, keeping them out of PCI scope." • Payment service providers: PSPs can use MYPIN-
PAD's Contactless Payments on Commercial off-the-
26
