How does eProtect iFrame prevent it's abuse

Hi Adesh,

Thank you so much for your patience - it took me a while to hunt down an answer for you. Here's what one of our senior product managers thought: 

"While the threat vector to maliciously register eProtect tokens can be feasibly done, eProtect would still remove clear text data for the merchant environment would as it does not allow permission to derive back to the underlying sensitive value, nor would the attacker has permission to redeem the eProtect tokens for payment processing as there compensating controls to prohibit unauthorized used. In summary, while one party may register the token, the token is useless to unauthorized parties.

It’s important that merchants adequately protect their environment in alignment of society best practices and standards.  While merchants that implement Vantiv iFrame may not be required to validate applicable controls for systems that do not touch cardholder data, it is recommended they review PCI DSS requirements for elements of their ecommerce infrastructure since compromise of the merchant’s web pages could potentially result in a compromise of the iFrame, and failure to implement the solution in alignment with the eProtect Integration Guide could introduce risk to the environment, and merchants may no longer be eligible for control reduction

Vantiv’s recommendations can be found in our eProtect technical assessment paper, written by Coalfire, ad third certified Qualified Security Assessor (QSA)."