As parts of the PCI-DSS best practice becomes requirements with [PCI-DSS v4][pci]{:target=”_blank”} coming in April 2025, using the Seamless View integration to display the payment UI will give merchants more responsibilities than they currently have. This is because Seamless View is hosted by you. As the Redirect integration is hosted by Swedbank Pay, we also handle these responsibilities.
The updated requirements will include stricter controls and monitoring, particularly around the security of your checkout process. Merchants are responsible for ensuring the integrity of the HTML script used in their integration, including monitoring what is loaded into or over it. Specifically, Seamless View merchants must verify that the script URL embedded in their iframe originates from Swedbank Pay or another trusted domain. It is important to note that Swedbank Pay’s PCI responsibility is strictly limited to the content within the payment iframe.
For further details, refer to section 4.6.3 and 11.6.1 in the linked PCI-DSS document.
Please note that this only applies to payment methods that are affected by PCI-DSS (Card and Click to Pay). If you only offer payment methods not affected by PCI-DSS, no actions are necessary. If you want to add PCI-DSS affected payment methods later, this is something you need to consider.
To learn more about how PCI-DSS affects you, we also have reading available in Danish, Finnish, Norwegian and Swedish.
If you currently have a Seamless View integration and don’t want the impending responsibilities, switcing to Redirect is normally possible, but the Checkin module used in Checkout v2 is only available using Seamless View. We strongly recommend switching to the newest version of Digital Payments and choose the Redirect UI option. We have written a migration guide to help you.
Monitoring The Script URL
You must confirm that your site is not susceptible to attacks from scripts that could affect the merchant’s e-commerce system(s).