On This Page
FILTER BY TAG

Security Recommendations

Unified Checkout
 is compliant with Payment Card Industry (PCI) Self-Assessment Questionnaire A (SAQ-A).
Barclays
 recommends that you consider these security policies so you can maintain a secure integration.

Content Security Policy

Implement a Content Security Policy (CSP) to mitigate cross-site scripting (XSS) attacks. Add these directives for
Unified Checkout
:
CSP Directives
Directive
Test
Production
connect-src
https://api.smartpayfuse-test.barclaycard
https://api.smartpayfuse.barclaycard
frame-src
https://api.smartpayfuse-test.barclaycard
https://api.smartpayfuse.barclaycard
child-src
https://api.smartpayfuse-test.barclaycard
https://api.smartpayfuse.barclaycard
script-src
https://api.smartpayfuse-test.barclaycard
https://api.smartpayfuse.barclaycard
These directives enable the SDK to load secure iframes and communicate with
Barclays
 services.
IMPORTANT
When you use additional payment methods such as Google Pay or PayPal, you must also add their respective domains to your CSP directives.

Iframe Isolation

Unified Checkout
 renders all payment UI inside cross-origin iframes hosted by
Barclays
. This architecture provides several security benefits:
  • Data isolation
    : Your page cannot access payment data within the iframe due to the browser’s same-origin policy.
  • Reduced attack surface
    : Attackers cannot extract card data from the isolated iframe if your merchant page is compromised.
  • Origin verification
    : The SDK validates that the hosting page origin matches the
    targetOrigins
     that is declared in the session before displaying any UI.
Do not attempt to access or manipulate the contents of the payment iframes. The browser blocks cross-origin access by design.

Token Security

A session is a signed JWT with a short lifespan.
Barclays
 recommends that you follow these practices:
  • Generate a new session for each checkout. Do not reuse sessions across checkouts or customers.
  • Keep the session server-side until needed. Pass it to the client only when the customer is ready to pay.
  • Set
    targetOrigins
     to only the domains that host the SDK. Do not use wildcard origins or include domains that do not need access.
The transient token returned by
mount()
 or
complete()
 expires after 15 minutes.
Barclays
 recommends that you follow these practices:
  • Send the transient token to your server immediately after receiving it.
  • Verify the token signature using the public key from the session before authorizing the payment. For verification details, see Transient Tokens.
  • Do not store transient tokens in browser storage (
    localStorage
    ,
    sessionStorage
    , or cookies). Process them server-side and discard.

Immutable API

The client interface that is returned by
VAS.UnifiedCheckout()
 is frozen with
Object.freeze()
. This prevents runtime tampering, which means that no properties can be added, removed, or modified on the client, checkout, trigger, or button objects. Do not attempt to modify or extend the SDK objects. If you need custom behavior, use the event system to react to SDK state changes.

Cleanup

You must always call
destroy()
 on the client when the payment flow is complete or the customer navigates away. This removes all iframes and clears internal state:
checkout.destroy();
client.destroy();
If you do not destroy the client, you could leave payment iframes in the page after they are no longer needed.
RELATED TO THIS PAGE