Iframing a payment form by a third-party payment processor is often used to reduce the number of applicable PCI DSS requirements for the merchant’s website. More recently, PCI DSS v4 introduced new requirements, some applicable to the merchant’s page hosting the iframe. A number of attacks against the iframe can still result in cardholder data being leaked. This talk provides an in-depth look into the security risks that exist on iframed payment forms, and a view on how to defend them.