Do I need SSL if using secure iFrame to accept credit card payments online? http form post to https?

Can I put my form on HTTP and target my form to post to  HTTPS and still be secure? No.

  • An attacker can utilize JavaScript code to steal data before the user submits it.
  • Even if you post a notice, users will be less trusting. If a company can’t afford to invest in a security certificate, why would you trust them with private data?
  • Website users should stick with one URL to login and form URL and the target URL should be over SSL.

Can I put a secure iframe for payments collection on http? Technically yes, however, this will not achieve desired security or consumer confidence since there will be no ‘lock’ on the consumer web browser for your domain. There are also limitations which I won’t get into here. This would not follow best practices and is therefore not recommended. Wherever you accept information that you want secured, the domain should have an SSL certificate.