How can I safely make use of third-party services on my payments page?

Including third-party resources (like Javascript, images, or other document types) in your payments page creates serious risks for you and your shoppers. (Read more on that here.)

There are safer ways to provide these facilities, which your security team should evaluate before and after any implementation:
• Embedding external content (such as chat tools or even limited functionality page analytics) in iFrames
• Hosting the Javascript, fonts, image files, etc. within your PCI DSS scoped service (such as the HPP skin)
• Embedding localized payments pages that contain static content in your HPP skin or in your CSE or Checkout page environment

To track shoppers through the flow (for example using Google Analytics) without embedding web analytics code in your HPP skin, use the merchantReturnData field.

Any third-party hosted service or resource that is not securely embedded in an iFrame, or not entirely stored in the HPP skin, must be from a listed PCI DSS Level 1 or 2 Service Provider, and this provider must be listed in your current SAQ.

If you must embed third-party resources in your payments page, you can also move to a Checkout SDK or Checkout API integration. This uses secure fields (sensitive fields in iFrames) to protect payment data.


For more information contact Support. Submit a request

Articles in this section