Hosted Payment Page With 100+ Gateways

One of the ways Cart66 provides the strongest security of any WordPress ecommerce solution is by providing you with your own hosted payment page. Your hosted payment page will look exactly like the rest of your WordPress site and works with over 100 different payment gateways. In this article we’ll talk about what a hosted payment page is, why it is the most secure, and how it makes PCI compliance as easy as possible. We will also compare Cart66 with other WordPress e-commerce plugins and explain why Cart66 is the most secure and why it matters when you are considering how to process payments for your online store.

What Is A Hosted Payment Page?

A hosted payment page enables you to fully outsource the entire process of collecting credit card payments.  All aspects of collecting, transmitting, and processing your customers credit card payments take place on a secure and fully PCI compliant server. The most popular example of a hosted payment page is PayPal. When you use PayPal to accept payments, your customer is transferred to the PayPal website where they enter all of their payment details. After a successful payment the customer might be transferred back to your website. Since the entire payment process is handled by PayPal, you don’t have to worry about any of the security concerns surrounding credit card payments. You may find other payment gateways that offer similar hosted payment pages, but they all have a variety of problems, especially regarding customization and branding.

Why A Hosted Payment Page Is The Most Secure

Over the past few years people have been trying to solve the problem of keeping credit card payments secure on e-commerce websites. WordPress runs more e-commerce websites than any other platform and these sites are often hosted on very low cost shared servers – not PCI compliant web hosting environments. To keep credit card data safe, a bunch of different attempts have been made for collecting credit card data and transmitting it to the payment gateway without the credit card data touching the insecure shared servers hosting the WordPress site.

If you work with WordPress long enough you will see that WordPress sites get hacked all the time. This happens for a wide variety of reasons and it almost never because the core WordPress code has vulnerabilities. Some of the top reasons WordPress sites get hacked are:

  • Not installing WordPress updates
  • Using default usernames
  • Weak passwords
  • Insecure / old software running on the server hosting your website
  • WordPress plugins or themes with security vulnerabilities
  • Not blocking malicious traffic with plugins like iThemes Security Plugin or services like Sucuri

When using any form of security other than a hosted payment page, if your WordPress site gets hacked, your customers credit card data can be exposed. 

What’s Wrong With Direct Post or JavaScript

To avoid passing credit card data through inexpensive shared web hosting servers, some people suggested just posting the credit card data straight from the customer’s browser directly to the payment gateway – without passing through your web server at all. To do this, the action attribute of the form  tag  for the payment would submit the data directly to the payment gateway.

direct post to send credit card data to payment gateway

Another very similar attempt to bypass your web server and send credit card data directly to your payment gateway involves using JavaScript to collect and transmit the card data.

Use JavaScript to send credit card data to payment gateway

Both of these techniques suffer from a the same problem problem. Your website is responsible for generating the code that collects the credit card data. That means if a malicious piece of JavaScript gets on your site, it can easily redirect where the card data goes. Not only that, but a JavaScript key logger could be recording all the data your customers type and sending it to the bad guys.

What’s Wrong With iFrames?

Another way to avoid having credit card data touch your web server is to use an iFrame that pulls in a little form hosted by your payment gateway to collect the credit card data. An iFrame is more secure than the Direct Post or JavaScript options we just considered.  Unfortunately, it also suffers from the same JavaScript problem as those other two approaches. If your website gets hacked, a snippet of JavaScript is all it takes to change the source of the iFrame. Rather than pulling in an iFrame from your payment gateway, a malicious snippet of JavaScript could pull in a form from a fraudulent server.

iFrames are not as secure as a hosted payment page

A Hosted Payment Page Is The Most Secure

The most secure way to collect and transmit credit card information is to let someone else handle the entire process for you. That way, even if your website gets hacked, your customers payments remain secure.

hosted payment page is the most secure way to process payments


How Cart66 Makes Your Hosted Payment Page Awesome

Traditionally there are a few problems with hosted payment pages.

  1. They look nothing like your website and might confuse your customers
  2. You lose all your design and branding
  3. The domain name changes and looks nothing like your domain name
  4. Customization is very limited and cumbersome
  5. Only works with one payment gateway

Pick from over 100 gateways
Cart66 solves all of these problems. First, Cart66 supports over 100 different payment gateways including Stripe, PayPal,, Braintree and more. Your hosted payment page will work with any gateway you choose and you can change gateways at any time.

Customize your domain name
Second, you get to pick your own custom subdomain for your hosted payment page. Yes, the domain name will change because in order to get an SSL certificate we (Cart66) have to verify that we are the authentic owners of the domain name. We can’t get an SSL certificate for your domain name because we don’t own your domain name. But you can pick your own subdomain. So your hosted payment page can be located at https://<your-company-name> So when your customer hits your secure hosted payment page, they will still see your company name in the URL.

Looks EXACTLY like the rest of your WordPress site
Third, with a single click, Cart66 will skin your hosted payment page with your WordPress theme. So your hosted payment page will look exactly like the rest of your WordPress site because it uses the exact same theme. All your navigation still works, linking back to your WordPress site. It is just like another page on your site. Keep all of your design and branding in place.

What Are Self Assessment Questionnaires?

When you apply for your payment gateway account you will probably have to complete a form called a self assessment questionnaire. Which questionnaire you have to complete depends on how you are processing credit card payments. There are two different questionnaires you might be given based on which of the above approaches you take for processing credit card payments.

The SAQ (self assessment questionnaire) you really want to be able to use is named SAQ A. After you get through the instructions and so forth, it comes down to about 1 page with 13 questions to answer. The overall purpose of these questions is to verify that you have a secure, PCI compliant service handling all aspects of your credit card payment process. This includes storing, processing, collecting, and transmitting credit card data.

You only qualify for the SAQ A if you can confirm the following quote taken from the “Before You Begin” section of the SAQ A for e-commerce channels.

All elements of the payment page(s) delivered to the consumer’s browser originate only and directly from a PCI DSS validated third-party service provider(s).

That means your website can’t be responsible for generating ANY of the code that effects the security of the payment processing. For example, if you host your own payment form, then your website is responsible for collecting and transmitting the credit card information. Even if the credit card data isn’t hitting your server, your server is still involved in the process because it generates the code that is responsible for collecting and sending the credit card data.

So, if you decide to host your own payment form and use an approach like Direct Post or JavaScript to collect and transmit your customers credit card data you are no longer eligible to use SAQ A and instead have to use SAQ A-EP for partially outsourced payment processing. It is currently very unclear whether or not using iFrames requires SAQ A or SAQ A-EP. This very issue has been brought up and studied in great depth and, unless both the payment form fields AND the submit button are BOTH contained in the iFrame, you must complete SAQ A-EP. Even if you could use SAQ A, we have already discussed how a single snippet of JavsScript is all it takes to pull in a payment form from a fraudulent source rather than your trusted payment gateway.

You really want to avoid the SAQ A-EP because it is almost 50 pages long with over 130 requirements. In addition to log monitoring, firewalls, and vulnerability scanning another requirement is that you have to disable all insecure network connections. This includes FTP. If you can FTP into your server, you can’t pass the SAQ A-EP. Another requirement is to keep your server’s software up to date. Almost all web hosts run outdated versions of PHP. I work with support tickets and see PHP 5.2 still running on a lot of servers. PHP 5.2 reached its end of life over 5 years ago. That means it’s been over 5 years since any security patches have been released and that version of PHP is no longer supported at all. Unless you spend a great deal of money on your web hosting environment you will not be able to comply with all of the requirements in SAQ A-EP.

Bottom line: The only guaranteed way to qualify for the SAQ A is to use a hosted payment page.


We’ve covered a ton of information here. So let’s wrap it up with the main points:

  • A hosted payment page handles all aspects of credit card payment processing for you
  • WordPress sites get hacked all the time and you don’t want to put your customers credit card data at risk if your site gets hacked
  • Direct Post, JavaScript, and iFrames can all be hacked if a snippet of bad JavaScript gets on your site
  • A hosted payment page is the most secure way to process payments
  • You only have to answer the 13 questions in SAQ A (not the 130 questions in the SAQ A-EP) when using a hosted payment page
  • Cart66 solves all of the traditional problems with hosted payments pages by skinning your secure hosted payment page with your WordPress theme so your one secure hosted payment page looks EXACTLY like the rest of your WordPress site.