- Table of contents
- What is a hosted payment page?
- What is an iFrame payment gateway?
- Hosted payment page vs iFrame: quick comparison
- How does a hosted payment page work?
- How does an iFrame payment gateway work?
- PCI, security, and compliance implications
- UX, redirects, and payment method support
- Operational impact for PSPs, fintechs, and enterprise merchants
- Where payment orchestration fits
- How to choose between hosted payment page and iFrame gateway
- Common mistakes to avoid
- Conclusion
Choosing between a hosted payment page and an iFrame gateway is not only a checkout design decision. It affects payment security, PCI scope, customer experience, payment method support, 3D Secure behavior, integration complexity, reporting, and how much control your payment team keeps inside the transaction flow.
In simple terms, a hosted payment page redirects the customer to a secure payment page hosted by the payment provider, while an iFrame gateway embeds the payment form inside the merchant’s checkout page. Both models can reduce direct card-data handling, but they create different trade-offs for UX, compliance, redirects, and operational control.
For PSPs, fintech companies, PayFacs, and enterprise merchants, the real question is not “Which one is better?” It is “Which model fits our payment infrastructure, merchant base, compliance posture, and growth plans?”
Table of contents
- What is a hosted payment page?
- What is an iFrame payment gateway?
- Hosted payment page vs iFrame: quick comparison
- How each payment flow works
- PCI, security, and compliance implications
- UX, redirects, and payment method support
- Operational impact for PSPs and merchants
- Where payment orchestration fits
- How to choose the right model
- Common mistakes
- Key takeaways
- FAQ
What is a hosted payment page?
A hosted payment page is a secure checkout page hosted by a payment provider, gateway, PSP, or orchestration platform. The merchant redirects the customer to that page, where payment details are collected and processed outside the merchant’s own checkout environment.
The main benefit is separation. The merchant does not need to build and maintain the full payment form, directly handle sensitive card data, or manage every payment UI requirement in-house. Instead, the hosted page manages the payment form, payment method display, authentication flow, and often parts of localization, fraud checks, and confirmation handling.
A typical hosted payment page is used when a business wants:
- Faster payment gateway integration.
- Lower frontend development effort.
- Reduced direct exposure to cardholder data.
- A checkout option that can support cards, wallets, bank payments, and local methods.
- A simpler setup for merchants with limited technical resources.
- A scalable option for PSPs onboarding many merchants.
Hosted pages are common among PSPs because they make merchant onboarding easier. A merchant can connect through API, generate a payment session, redirect the customer to the payment page, and receive the final transaction status through callbacks, webhooks, or server-side notifications.
Stripe, for example, describes Checkout as a prebuilt payment UI that can support a full-page hosted experience, an embedded form, or more customized components through Elements.
What is an iFrame payment gateway?
An iFrame payment gateway embeds a provider-hosted payment form inside the merchant’s checkout page. The customer appears to stay on the merchant’s website, while sensitive fields may be loaded from the provider’s secure domain.
This model is often used when merchants want more checkout continuity than a redirect-based hosted page provides. Instead of sending the customer to a separate payment page, the merchant displays the payment form within the existing checkout layout.
An iFrame payment gateway can be useful when the business wants:
- A more embedded checkout experience.
- Better visual continuity with the merchant site.
- Less visible redirection during checkout.
- Reduced direct handling of payment fields.
- More control over the surrounding checkout page.
However, iFrames also create technical constraints. Cross-domain behavior, redirect-based authentication, browser restrictions, wallet behavior, third-party cookies, mobile responsiveness, and local payment method flows can all become more complicated.
Adyen’s documentation specifically advises against integrating checkout in an iFrame because cross-domain redirect flows may fail, and some payment methods may require different configuration inside an iFrame.
Hosted payment page vs iFrame: quick comparison
A hosted payment page is usually simpler, safer, and easier to maintain. An iFrame gateway offers more embedded UX control, but it may introduce more frontend, redirect, testing, and browser-compatibility complexity.
| Factor | Hosted payment page | iFrame payment gateway |
| Checkout experience | Redirect or provider-hosted checkout | Embedded inside merchant checkout |
| Merchant frontend control | Lower | Higher around the surrounding page |
| Provider control | Higher | Medium to high |
| Integration complexity | Usually lower | Usually higher |
| PCI scope | Often easier to reduce, depending on implementation | Can reduce scope, but setup details matter |
| Redirect payment methods | Usually easier to support | Can be problematic in cross-domain iFrames |
| 3D Secure handling | Typically more straightforward | Requires careful testing |
| Mobile UX | Usually provider-optimized | Depends on implementation quality |
| Branding | Configurable, but limited by provider | More seamless around the payment form |
| Best for | Fast integration, many merchants, broad method support | Embedded checkout, stronger brand continuity |
| Risk area | Redirect drop-off or less checkout control | Browser restrictions, failed redirects, inconsistent method behavior |
How does a hosted payment page work?
A hosted payment page works by moving the payment form and sensitive payment-data collection to the provider’s hosted environment. The merchant initiates the payment, redirects the customer, and receives the result after payment completion.
A typical hosted payment page flow looks like this:
| Stage | What happens | Systems involved | Operational risk |
| Payment session creation | Merchant sends order amount, currency, customer, and return URL | Merchant backend, PSP/gateway API | Incorrect order data or session expiry |
| Redirect to hosted page | Customer moves to provider-hosted checkout | Browser, hosted payment page | Drop-off if branding or UX is poor |
| Payment data collection | Customer enters card, wallet, or alternative payment details | Provider-hosted page | Provider page performance and method availability |
| Authentication | 3D Secure or local payment authentication may occur | Issuer, ACS, wallet, APM provider | Failed redirect or abandoned authentication |
| Authorization | Transaction is sent to processor/acquirer | PSP, gateway, acquirer, scheme | Declines, timeout, routing failure |
| Result confirmation | Customer returns to merchant site; merchant receives webhook | Merchant backend, provider API | Mismatched frontend result vs backend status |
| Reporting and reconciliation | Transaction is stored for operations and finance | Dashboard, reporting, reconciliation system | Fragmented reporting if multiple providers are used |
For PSPs and fintech platforms, hosted payment pages are useful because they can standardize merchant checkout while still allowing configuration by merchant, country, currency, and payment method.
How does an iFrame payment gateway work?
An iFrame gateway works by embedding provider-hosted payment fields or a payment form into the merchant’s page. The customer remains visually inside the merchant checkout, while the sensitive payment components are loaded from the provider.
A typical iFrame flow looks like this:
- The merchant checkout page loads.
- The merchant requests a payment session or token from the payment provider.
- The provider’s iFrame loads inside the checkout page.
- The customer enters payment data into the embedded form.
- The provider collects and tokenizes the data.
- The payment is authorized through the gateway, PSP, acquirer, or processor.
- The merchant receives payment status through API response, callback, or webhook.
The benefit is continuity. The customer does not necessarily feel redirected away from the merchant site.
The challenge is technical fragility. Redirect-based methods, 3D Secure flows, wallet flows, browser privacy rules, and mobile viewport behavior must be tested carefully. This is why iFrame integrations often require more QA coverage than a standard hosted page.
PCI, security, and compliance implications
Both hosted payment pages and iFrame gateways can help reduce direct card-data exposure, but neither removes compliance responsibility entirely. PCI scope depends on the exact implementation, provider setup, payment data flow, scripts, and how the merchant environment can affect the security of the payment page.
PCI DSS applies to entities that store, process, or transmit cardholder data, and the PCI Security Standards Council describes PCI DSS as the baseline of technical and operational requirements for protecting payment account data. The Council also notes that PCI DSS is intended for all entities involved in payment processing, including merchants, regardless of size or transaction volume.
The practical difference is usually this:
| Compliance factor | Hosted payment page | iFrame payment gateway |
| Card data entry | On provider-hosted page | Inside embedded provider-controlled frame |
| Merchant page influence | Lower, especially with redirect | Higher, because checkout page surrounds the frame |
| SAQ eligibility | Often simpler, depending on setup | May still be reduced, but details matter |
| Script control risk | Lower on the payment page itself | Higher on the parent checkout page |
| Security testing | Provider page plus redirect flow | Parent page, iFrame behavior, CSP, redirect handling |
| Best practice | Keep payment page isolated and secure | Minimize third-party scripts and test browser behavior |
Stripe’s security guidance frames PCI compliance as a shared responsibility and notes that low-risk payment integrations can collect and transmit payment information directly to Stripe without it passing through the merchant’s servers, reducing PCI obligations.
For PSPs and fintech companies, the key is not to describe either model as “PCI-free.” A more accurate message is: “This integration can reduce PCI scope when implemented correctly, but your business still needs to validate compliance based on its actual payment environment.”
UX, redirects, and payment method support
Hosted payment pages are usually stronger for reliability across redirect-based payment methods. iFrames can feel smoother visually, but they may create friction when authentication or payment method flows need to leave the embedded frame.
This matters because modern checkout is no longer only about entering card details. Payment teams must support wallets, bank redirects, BNPL methods, local APMs, 3D Secure authentication, stored credentials, recurring payments, and country-specific requirements.
A hosted page is often easier when the payment flow includes:
- 3D Secure authentication.
- Bank redirect methods.
- Wallet flows.
- Local payment methods.
- Payment method selection by region.
- Strong Customer Authentication.
- Multi-language and multi-currency checkout.
An iFrame can work well when:
- The merchant prioritizes checkout continuity.
- The payment methods are mostly card-based or component-friendly.
- The provider offers mature embedded components.
- The team can test cross-browser and mobile behavior properly.
- Redirect handling is clearly supported.
The issue is not that iFrames are “bad.” The issue is that iFrames are less forgiving. If the parent page, browser, domain, content security policy, or redirect behavior is not configured correctly, the checkout experience can break at the worst possible point: payment authorization.
Adyen’s guidance is direct on this point: in cross-domain iFrames, redirect payment flows may not work, which can lead to failed transactions and poor customer experience.
Operational impact for PSPs, fintechs, and enterprise merchants
For payment businesses, checkout type affects more than frontend design. It shapes onboarding, support, risk, reporting, and how quickly new merchants can go live.
A PSP serving many merchants usually needs a checkout model that is easy to deploy, easy to support, and flexible enough for different merchant maturity levels. Hosted payment pages are often a practical default because they reduce merchant-side implementation effort and create a more standardized support model.
An enterprise merchant may care more about checkout control, brand continuity, conversion testing, and integration with internal systems. For that merchant, an iFrame or embedded component model may be attractive, but only if the payment team can manage the added testing and security responsibility.
| Business type | Likely priority | Better default | Why |
| Startup merchant | Fast launch, low technical effort | Hosted payment page | Simple setup and lower maintenance |
| Scaling merchant | More control, more methods | Depends on payment stack | May need both hosted and embedded options |
| Enterprise merchant | UX control, analytics, provider flexibility | iFrame or advanced hosted page | More resources for testing and optimization |
| PSP / PayFac | Merchant onboarding at scale | Hosted page plus optional iFrame | Supports different merchant maturity levels |
| Fintech platform | Embedded payments inside product | iFrame / embedded components | Keeps users inside platform flow |
| High-compliance business | Security and risk control | Hosted page or carefully scoped embedded model | Depends on PCI and risk posture |
For PSPs, the strongest approach is often not choosing one model permanently. It is offering multiple checkout options under one infrastructure layer so different merchants can use the integration style that fits their technical resources and customer journey.
Where payment orchestration fits
Payment orchestration helps companies manage checkout choice as part of a broader payment infrastructure strategy. Instead of treating hosted pages and iFrames as isolated integrations, orchestration connects them to routing, cascading, provider management, fraud controls, reporting, reconciliation, and merchant configuration.
This is where a payment orchestration platform such as Akurateco becomes relevant. Akurateco positions its orchestration platform around multi-provider connectivity, smart routing, cascading, fraud tools, payment analytics, payment dashboards, and reconciliation. Its site describes access to 650+ integrations and features such as routing, cascading, payment method management, fraud prevention, and automated reporting.
For PSPs and fintech companies, orchestration can support checkout strategy in several ways:
| Capability | Why it matters | How orchestration helps |
| Multiple checkout models | Different merchants need different integration options | Offer hosted page, plugins, SDKs, or embedded flows through one platform |
| Smart routing | Provider performance varies by region, BIN, method, or currency | Route transactions based on cost, approval rate, geography, or provider rules |
| Cascading | First authorization attempt may fail | Retry through an alternative provider where appropriate |
| Payment method management | Local methods and wallets behave differently | Configure methods by merchant, country, currency, or risk profile |
| Fraud and risk controls | Checkout design affects risk exposure | Apply fraud rules before or during payment processing |
| Reporting and reconciliation | Multiple providers fragment operations | Centralize transaction, settlement, and reconciliation visibility |
| Merchant management | PSPs must support many merchant setups | Configure checkout, providers, limits, fees, and reports per merchant |
Akurateco’s routing and cascading page also describes intelligent routing as a way to send transactions to the optimal service and cascading as a way to prevent declined transactions by using alternative routes.
The practical point: hosted payment page vs iframe is not only a checkout debate. It is a payment infrastructure decision. The more providers, merchants, payment methods, and markets you manage, the more valuable it becomes to control checkout options through an orchestration layer rather than through disconnected provider integrations.
How to choose between hosted payment page and iFrame gateway
Choose a hosted payment page when speed, simplicity, reliability, broad payment method support, and lower maintenance are more important than complete checkout control. Choose an iFrame when embedded UX and brand continuity are important enough to justify deeper testing, stricter frontend governance, and more integration responsibility.
A simple decision framework:
| Question | Choose hosted payment page if… | Choose iFrame gateway if… |
| How technical are your merchants? | Many merchants need fast, simple integration | Merchants have capable development teams |
| How important is checkout continuity? | Redirect is acceptable | Staying on-page is a major UX requirement |
| Which payment methods matter? | You need redirects, wallets, local methods, 3DS | You mostly use component-friendly methods |
| What is your PCI posture? | You want stronger isolation | You can manage parent-page risk carefully |
| How much branding control do you need? | Configurable branding is enough | You need tighter embedded design |
| How much QA can you support? | Limited cross-browser testing resources | Strong QA across browsers, devices, flows |
| Are you a PSP? | You need scalable merchant onboarding | You support advanced merchants with custom needs |
| Do you use multiple providers? | Use orchestration to standardize checkout | Use orchestration to manage embedded flows consistently |
For many payment companies, the best answer is hybrid:
- Hosted payment page as the default integration for speed and reliability.
- iFrame or embedded components for merchants that need deeper UX control.
- Host-to-host integration for large merchants with strong PCI capability.
- Payment orchestration to manage routing, cascading, reporting, and provider connectivity behind all models.
Common mistakes to avoid
The main mistake is choosing a checkout model only from a visual perspective. Payment teams should evaluate security, redirects, payment methods, provider routing, reporting, and support workload before making the decision.
Common mistakes include:
- Assuming an iFrame automatically removes PCI responsibility.
- Using iFrames without testing 3D Secure and redirect-based methods.
- Treating hosted pages as outdated because they involve redirects.
- Ignoring mobile behavior during checkout testing.
- Over-customizing checkout at the cost of reliability.
- Connecting each payment method through separate provider-specific flows.
- Forgetting webhook-based status confirmation and relying only on frontend redirects.
- Not planning reconciliation and reporting before adding multiple PSPs.
- Offering merchants one checkout type when their needs vary by size and technical maturity.
A hosted payment page may look less embedded, but it can be operationally stronger. An iFrame may look smoother, but it can create hidden complexity. The right decision depends on the payment environment, not just the UI preference.
Conclusion
The hosted payment page vs iframe decision is really a trade-off between simplicity, control, compliance scope, payment method behavior, and operational scalability.
A hosted payment page is often the safer default for PSPs, fintech companies, and merchants that want fast integration, reliable redirect handling, and lower maintenance. An iFrame gateway can be the better fit when embedded checkout experience is a strategic priority and the team can manage the additional technical and compliance responsibilities.
For companies managing multiple merchants, providers, acquirers, payment methods, markets, or reporting flows, the strongest approach is usually orchestration-first. Akurateco can support this model by helping payment companies manage checkout options, provider connectivity, routing, cascading, fraud controls, dashboards, and reconciliation through a unified payment infrastructure layer.
FAQ
What is the difference between a hosted payment page and an iFrame gateway?
A hosted payment page redirects the customer to a secure payment page hosted by the provider. An iFrame gateway embeds provider-hosted payment fields inside the merchant’s checkout page. Hosted pages are usually simpler to maintain, while iFrames offer more checkout continuity but require more testing.
Is a hosted payment page more secure than an iFrame?
A hosted payment page can provide stronger separation because the payment form is hosted outside the merchant checkout page. An iFrame can also be secure when implemented correctly, but the parent page, scripts, browser behavior, and redirect handling must be managed carefully.
Does an iFrame payment gateway reduce PCI scope?
An iFrame payment gateway can reduce direct exposure to cardholder data if sensitive fields are controlled by the provider. However, PCI scope depends on the exact implementation. The merchant still needs to validate compliance based on its environment, scripts, controls, and payment data flow.
Which option is better for 3D Secure and redirect payment methods?
A hosted payment page is usually easier for 3D Secure and redirect-based payment methods because the provider controls the full authentication journey. iFrames can create issues when redirects need to leave the embedded frame, especially when the frame is hosted on a different domain.
Should PSPs offer hosted payment pages or iFrame gateways?
PSPs should usually offer both if their merchant base is diverse. Hosted pages work well for fast onboarding and standard integrations. iFrames or embedded components suit more advanced merchants that need stronger UX continuity and have the technical resources to test and maintain the integration.
How does payment orchestration help with hosted pages and iFrames?
Payment orchestration helps manage different checkout models through one infrastructure layer. It can connect hosted pages, iFrames, routing, cascading, fraud controls, payment methods, dashboards, and reconciliation so PSPs and merchants do not need to manage each provider integration separately.
