As parts of the PCI-DSS best practice becomes requirements with PCI-DSS v4 coming in April 2025, using the Seamless View integration to display the payment UI will give merchants more responsibilities than they currently have. This is because Seamless View is hosted by you. As the Redirect integration is hosted by Swedbank Pay, we also handle these responsibilities.
The updated requirements will include stricter controls and monitoring, particularly around the security of your checkout process. Merchants are responsible for ensuring the integrity of the HTML script used in their integration, including monitoring what is loaded into or over it. Specifically, Seamless View merchants must verify that the script URL embedded in their iframe originates from Swedbank Pay or another trusted domain. It is important to note that Swedbank Pay’s PCI responsibility is strictly limited to the content within the payment iframe.
For further details, refer to section 4.6.3 and 11.6.1 in the linked PCI-DSS document.
Please note that this only applies to payment methods that are affected by PCI-DSS (Card and Click to Pay). If you only offer payment methods not affected by PCI-DSS, no actions are necessary. If you want to add PCI-DSS affected payment methods later, this is something you need to consider.
To learn more about how PCI-DSS affects you, we also have reading available in Danish, Finnish, Norwegian and Swedish.
If you currently have a Seamless View integration and don’t want the impending responsibilities, switcing to Redirect is a very manageable task. Here’s what you need to do:
Use Redirect Operation
In the operations node of the payment response, right next to
view-checkout
which you should currently be using, you’ll find
redirect-checkout
. The corresponding href
contains a url which leads to a
Swedbank Pay domain where the payment UI will be displayed and processed. All
you need to do is direct the Payer to this url and wait until one of the
functions are called (completeUrl
, cancelUrl
or callbackUrl
) to proceed
with the payment process.
Redirect-Checkout Operation
1
2
3
4
5
6
7
8
9
10
{
"operations": [
{
"method": "GET",
"href": "https://ecom.externalintegration.payex.com/payment/menu/b934d6f84a89a01852eea01190c2bbcc937ba29228ca7502df8592975ee3bb0d?_tc_tid=30f2168171e142d38bcd4af2c3721959",
"rel": "redirect-checkout",
"contentType": "text/html"
},
]
}
Remove Seamless View Code
You can remove all code related to the <script>
element used to load the
Seamless View.
Change URLs
Finally, you need to do some changes to the urls
node in your
payment request. The paymentUrl
field is specific to Seamless
View and can be removed.
The url you need to add is the cancelUrl
, so we know where to redirect the
payer if they chose to cancel, or you chose to abort the payment.
If you have permission to add your own logo in the payment UI and
want to add one, you also need to include a logoUrl
. Follow the guidelines in
the section linked above. If no logoUrl
is added, Swedbank Pay’s logo will be
shown by default.
The completeUrl
, hostUrls
and callbackUrl
is universal and must be
included regardless of your UI choice.
Seamless View Specific URL
1
2
3
4
5
{
"urls": {
"paymentUrl": "https://example.com/perform-payment"
}
}
Redirect Specific URLs
1
2
3
4
5
6
{
"urls": {
"cancelUrl": "https://example.com/payment-cancelled",
"logoUrl": "https://example.com/logo.png" //Optional
}
}
Monitoring The Script URL
If you choose to stay with Seamless View, please take the following under advisement.
To ensure compliance, we recommend implementing Content Security Policy rules to monitor and authorize scripts.
Merchants must whitelist the following domains to restrict browser content
retrieval to approved sources. While https://*.payex.com
and
https://*.swedbankpay.com
cover most payment methods, digital wallets such as
Apple Pay, Click to Pay, and Google Pay are delivered via Payair. Alongside the
Payair URL, these wallets may also generate URLs from Apple, Google, MasterCard,
and Visa. See the table below for more information.
When it comes to ACS URLs, nothing is loaded from the ACS domain in the merchant’s end. It will either happen within Swedbank Pay’s domain or as a redirect, which will repeal the merchant’s CSP.
The list below includes important URLs, but may not be exhaustive. Merchants need to stay up to date in case of URL changes, or if you need to whitelist URLs not listed here.
URL | Description |
---|---|
https://*.cdn-apple.com | URL needed for Apple Pay. |
https://*.google.com | URL needed for Google Pay. |
https://*.gstatic.com | Domain used by Google that hosts images, CSS, and javascript code to reduce bandwidth usage online. |
https://*.mastercard.com | URL needed for Click to Pay. |
https://*.payair.com | URL for the digital wallets Apple Pay, Click to Pay and Google Pay. |
https://*.payex.com | Universal URL for all payment methods except the digital wallets Apple Pay, Click to Pay and Google Pay. |
https://*.swedbankpay.com | Universal URL for all payment methods except the digital wallets Apple Pay, Click to Pay and Google Pay. |
https://*.visa.com | URL needed for Click to Pay. |