From Worldpay solutions to FIS banking capabilities, find answers, ask questions, and connect with our community of developers.
Showing results for 
Search instead for 
Did you mean: 
Welcome to the FIS Developer Community.

How does eProtect iFrame prevent it's abuse

How does eProtect iFrame prevent it's abuse

As per my understanding from the documentation, the only required parameters to load the iFrame on your page is paypageId and the appropriate script eProtect src link. All these parameters are available in the javascript, therefore client facing. Thus, any user can find these from console and obtain the iFrame in their website and abuse the system. How is this abuse prevented?

Tags (1)

Hi Adesh,

Thank you so much for your patience - it took me a while to hunt down an answer for you. Here's what one of our senior product managers thought: 

"While the threat vector to maliciously register eProtect tokens can be feasibly done, eProtect would still remove clear text data for the merchant environment would as it does not allow permission to derive back to the underlying sensitive value, nor would the attacker has permission to redeem the eProtect tokens for payment processing as there compensating controls to prohibit unauthorized used. In summary, while one party may register the token, the token is useless to unauthorized parties.


It’s important that merchants adequately protect their environment in alignment of society best practices and standards.  While merchants that implement Vantiv iFrame may not be required to validate applicable controls for systems that do not touch cardholder data, it is recommended they review PCI DSS requirements for elements of their ecommerce infrastructure since compromise of the merchant’s web pages could potentially result in a compromise of the iFrame, and failure to implement the solution in alignment with the eProtect Integration Guide could introduce risk to the environment, and merchants may no longer be eligible for control reduction


Vantiv’s recommendations can be found in our eProtect technical assessment paper, written by Coalfire, ad third certified Qualified Security Assessor (QSA)."

Version history
Revision #:
1 of 1
Last update:
‎11-21-2017 03:03 AM
Updated by: