WCAG guidance regarding secured/hosted fields for PCI (Payment Card Industry) Compliance

1

I'm looking for some additional WCAG guidance regarding secure fields needed for PCI (Payment Card Industry) compliance for ecommerce. Payment providers now offer a solution for a higher level of conformance where each payment field (credit card number, CVV, and expiration date) is a DOM-injected iframe, comprising of a label, input, error validation, styling, and focus management. These iframed fields are referred as "secure fields".
We are working with our payment provider to improve their markup, however, if they followed all form and iframe related guidelines, would there be any other concerns regarding accessibility?

Thanks!

accessibility pci-compliance wcag wcag2.0

share|improve this question

edited Nov 19 '18 at 18:55

prl

4,4631315

asked Nov 19 '18 at 16:16

BethBeth

286

add a comment | 

1

I'm looking for some additional WCAG guidance regarding secure fields needed for PCI (Payment Card Industry) compliance for ecommerce. Payment providers now offer a solution for a higher level of conformance where each payment field (credit card number, CVV, and expiration date) is a DOM-injected iframe, comprising of a label, input, error validation, styling, and focus management. These iframed fields are referred as "secure fields".
We are working with our payment provider to improve their markup, however, if they followed all form and iframe related guidelines, would there be any other concerns regarding accessibility?

Thanks!

accessibility pci-compliance wcag wcag2.0

share|improve this question

edited Nov 19 '18 at 18:55

prl

4,4631315

asked Nov 19 '18 at 16:16

BethBeth

286

add a comment | 

1

1

1

I'm looking for some additional WCAG guidance regarding secure fields needed for PCI (Payment Card Industry) compliance for ecommerce. Payment providers now offer a solution for a higher level of conformance where each payment field (credit card number, CVV, and expiration date) is a DOM-injected iframe, comprising of a label, input, error validation, styling, and focus management. These iframed fields are referred as "secure fields".
We are working with our payment provider to improve their markup, however, if they followed all form and iframe related guidelines, would there be any other concerns regarding accessibility?

Thanks!

accessibility pci-compliance wcag wcag2.0

share|improve this question

edited Nov 19 '18 at 18:55

prl

4,4631315

asked Nov 19 '18 at 16:16

BethBeth

286

I'm looking for some additional WCAG guidance regarding secure fields needed for PCI (Payment Card Industry) compliance for ecommerce. Payment providers now offer a solution for a higher level of conformance where each payment field (credit card number, CVV, and expiration date) is a DOM-injected iframe, comprising of a label, input, error validation, styling, and focus management. These iframed fields are referred as "secure fields".
We are working with our payment provider to improve their markup, however, if they followed all form and iframe related guidelines, would there be any other concerns regarding accessibility?

Thanks!

accessibility pci-compliance wcag wcag2.0

accessibility pci-compliance wcag wcag2.0

share|improve this question

edited Nov 19 '18 at 18:55

prl

4,4631315

asked Nov 19 '18 at 16:16

BethBeth

286

share|improve this question

edited Nov 19 '18 at 18:55

prl

4,4631315

asked Nov 19 '18 at 16:16

BethBeth

286

share|improve this question

share|improve this question

edited Nov 19 '18 at 18:55

prl

4,4631315

edited Nov 19 '18 at 18:55

prl

4,4631315

edited Nov 19 '18 at 18:55

prl

4,4631315

4,4631315

asked Nov 19 '18 at 16:16

BethBeth

286

asked Nov 19 '18 at 16:16

BethBeth

286

asked Nov 19 '18 at 16:16

BethBeth

286

286

add a comment | 

add a comment | 

1 Answer
1

active

oldest

votes

0

In general, you should be good if you're trying to conform to WCAG (either 2.0 or 2.1), but it might depend on your country too. Different countries have different laws regarding accessibility. Some laws are stricter or have variations from WCAG.

For example, in the US, if you're working on an airline website, specifically booking and paying for travel (as it relates to your PCI question), it would fall under the Air Carrier Access Act.

However, there is nothing specific in WCAG that pertains to PCI. Just follow the general guidelines of WCAG as you mentioned (labelled fields, error handling, etc).

One item that might pertain to your situation is that <iframe> elements often need a title attribute so that screen readers know the purpose of the iframe. But in your case, if each iframe is an input field, and the fields are labelled properly, then the iframe shouldn't need a title. The user doesn't care that you used iframes. They just want to book and pay for their flight. An iframe title comes more into play when the iframe contains a map or some other "big" user interface component.

share|improve this answer

answered Dec 31 '18 at 16:06

slugoliciousslugolicious

4,31311318

add a comment | 

Your Answer

StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});

Thanks for contributing an answer to Stack Overflow!

• Please be sure to answer the question. Provide details and share your research!

But avoid …

• Asking for help, clarification, or responding to other answers.


• Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.

Some of your past answers have not been well-received, and you're in danger of being blocked from answering.

Please pay close attention to the following guidance:

• Please be sure to answer the question. Provide details and share your research!

But avoid …

• Asking for help, clarification, or responding to other answers.


• Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53378722%2fwcag-guidance-regarding-secured-hosted-fields-for-pci-payment-card-industry-co%23new-answer', 'question_page');
}
);

Post as a guest

Name

Email

Required, but never shown

1 Answer
1

active

oldest

votes

1 Answer
1

active

oldest

votes

active

oldest

votes

active

oldest

votes

0

In general, you should be good if you're trying to conform to WCAG (either 2.0 or 2.1), but it might depend on your country too. Different countries have different laws regarding accessibility. Some laws are stricter or have variations from WCAG.

For example, in the US, if you're working on an airline website, specifically booking and paying for travel (as it relates to your PCI question), it would fall under the Air Carrier Access Act.

However, there is nothing specific in WCAG that pertains to PCI. Just follow the general guidelines of WCAG as you mentioned (labelled fields, error handling, etc).

One item that might pertain to your situation is that <iframe> elements often need a title attribute so that screen readers know the purpose of the iframe. But in your case, if each iframe is an input field, and the fields are labelled properly, then the iframe shouldn't need a title. The user doesn't care that you used iframes. They just want to book and pay for their flight. An iframe title comes more into play when the iframe contains a map or some other "big" user interface component.

share|improve this answer

answered Dec 31 '18 at 16:06

slugoliciousslugolicious

4,31311318

add a comment | 

0

In general, you should be good if you're trying to conform to WCAG (either 2.0 or 2.1), but it might depend on your country too. Different countries have different laws regarding accessibility. Some laws are stricter or have variations from WCAG.

For example, in the US, if you're working on an airline website, specifically booking and paying for travel (as it relates to your PCI question), it would fall under the Air Carrier Access Act.

However, there is nothing specific in WCAG that pertains to PCI. Just follow the general guidelines of WCAG as you mentioned (labelled fields, error handling, etc).

One item that might pertain to your situation is that <iframe> elements often need a title attribute so that screen readers know the purpose of the iframe. But in your case, if each iframe is an input field, and the fields are labelled properly, then the iframe shouldn't need a title. The user doesn't care that you used iframes. They just want to book and pay for their flight. An iframe title comes more into play when the iframe contains a map or some other "big" user interface component.

share|improve this answer

answered Dec 31 '18 at 16:06

slugoliciousslugolicious

4,31311318

add a comment | 

0

0

0

In general, you should be good if you're trying to conform to WCAG (either 2.0 or 2.1), but it might depend on your country too. Different countries have different laws regarding accessibility. Some laws are stricter or have variations from WCAG.

For example, in the US, if you're working on an airline website, specifically booking and paying for travel (as it relates to your PCI question), it would fall under the Air Carrier Access Act.

However, there is nothing specific in WCAG that pertains to PCI. Just follow the general guidelines of WCAG as you mentioned (labelled fields, error handling, etc).

One item that might pertain to your situation is that <iframe> elements often need a title attribute so that screen readers know the purpose of the iframe. But in your case, if each iframe is an input field, and the fields are labelled properly, then the iframe shouldn't need a title. The user doesn't care that you used iframes. They just want to book and pay for their flight. An iframe title comes more into play when the iframe contains a map or some other "big" user interface component.

share|improve this answer

answered Dec 31 '18 at 16:06

slugoliciousslugolicious

4,31311318

In general, you should be good if you're trying to conform to WCAG (either 2.0 or 2.1), but it might depend on your country too. Different countries have different laws regarding accessibility. Some laws are stricter or have variations from WCAG.

For example, in the US, if you're working on an airline website, specifically booking and paying for travel (as it relates to your PCI question), it would fall under the Air Carrier Access Act.

However, there is nothing specific in WCAG that pertains to PCI. Just follow the general guidelines of WCAG as you mentioned (labelled fields, error handling, etc).

One item that might pertain to your situation is that <iframe> elements often need a title attribute so that screen readers know the purpose of the iframe. But in your case, if each iframe is an input field, and the fields are labelled properly, then the iframe shouldn't need a title. The user doesn't care that you used iframes. They just want to book and pay for their flight. An iframe title comes more into play when the iframe contains a map or some other "big" user interface component.

share|improve this answer

answered Dec 31 '18 at 16:06

slugoliciousslugolicious

4,31311318

share|improve this answer

share|improve this answer

answered Dec 31 '18 at 16:06

slugoliciousslugolicious

4,31311318

answered Dec 31 '18 at 16:06

slugoliciousslugolicious

4,31311318

answered Dec 31 '18 at 16:06

slugoliciousslugolicious

4,31311318

4,31311318

add a comment | 

add a comment | 

Thanks for contributing an answer to Stack Overflow!

• Please be sure to answer the question. Provide details and share your research!

But avoid …

• Asking for help, clarification, or responding to other answers.


• Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.

Some of your past answers have not been well-received, and you're in danger of being blocked from answering.

Please pay close attention to the following guidance:

• Please be sure to answer the question. Provide details and share your research!

But avoid …

• Asking for help, clarification, or responding to other answers.


• Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.

draft saved

draft discarded

Thanks for contributing an answer to Stack Overflow!

• Please be sure to answer the question. Provide details and share your research!

But avoid …

• Asking for help, clarification, or responding to other answers.


• Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.

Some of your past answers have not been well-received, and you're in danger of being blocked from answering.

Please pay close attention to the following guidance:

• Please be sure to answer the question. Provide details and share your research!

But avoid …

• Asking for help, clarification, or responding to other answers.


• Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53378722%2fwcag-guidance-regarding-secured-hosted-fields-for-pci-payment-card-industry-co%23new-answer', 'question_page');
}
);

Post as a guest

Name

Email

Required, but never shown

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

Name

Name

Email

Required, but never shown

Email

Required, but never shown

Email

Required, but never shown

Email

Required, but never shown

Name

Name

Email

Required, but never shown

Email

Required, but never shown

Email

Required, but never shown

Email

Required, but never shown

This page is only for reference, If you need detailed information, please check here