Hi all,

My company is developing a payment system which runs its pages from https. The plan is that our customers (who are online retailers) will be able to utilize the payment system from within their own sites inside an iframe.

Now Ive checked and it seems fine to have the payments pages served as an iframe running https, with the outside (retailers) page running http.

However, we would like to set it up such that the retailer could also serve their end of the payment pages (i.e. the pages that contain the iframe) as https also.

My question is: Is having the retailers page as https, with https payment screens inside an iframe (running a separate certificate), going to mess up the security or cause security warnings to appear from the browsers of people using the sites?

Thanks,
-Mark-

I don't see if messing up security unless the certificates are from a different authority or if the security procedures on your end aren't the same as the payment processing end. Browsers might not like it though, and there might be some data conversion issues, though I'm terribly sure. Probably wouldn't be a bad idea to test this if you can before deployment.

Thanks for the reply Ryan you seem to be correct.

I tested using a locally generated and authed cert on a page which had an element off an externally certified page (on a different domain). This didnt give any errors (apart from about the duff local cert) and furthermore showed as being secure, whereas pages I tried with a mix of secure (main page) and unsecure (elements) gave security warnings.

As a side note, pages which were unsecure (main page) with secure elements, showed as being completely unsecured, but equally gave no warnings or errors.