They can't do this because then the untrusted merchant has access to everything again. It needs to be sandboxed in a separate page so that the customer is talking directly with the processor, with SOP, cors, https, and simply not being able to intercept PII and payment information.
They can't do this because then the untrusted merchant has access to everything again. It needs to be sandboxed in a separate page so that the customer is talking directly with the processor, with SOP, cors, https, and simply not being able to intercept PII and payment information.