I'm attempting to "consolidate" all payment entries for all our various web applications under a single "hosted" payment entry web application. To be as "flexible" as possible with our various web-applications and not compromising security, I thought I would create a standard web2.0 widget that will iFrame the payment entry/processing screen from a web-application on the same 2nd level domain, but different 3rd level domain.
IE: These "separate" web applications:
- https://www.company.com/gifts/store
- https://www.company.com/cars/store
- https://www.company.com/hotels/store
would all iframe at the point of "check-out" in a "lightbox" metaphor content from https://payments.company.com/payment-entry.php
The [https://payments.company.com] would be on a completely different server and be subjected to the PCI compliance because its the only web application exposed to CC data. The goal is to eliminate as many internal and external applications seeing CC data.
If I have a wildcard certificate, does anyone see any security or cross-site scripting issues with this iframe same 3rd level domain solution?