Secure iframe on unsecure page in a different domain

Question

Our company is looking into allowing third party sites to use our online checkout system.

A client has stated that they would like to be able to use a lightbox style popup to display the checkout. And they would like this to be available on every page of the site, therefore mostly unsecure pages. Our checkout system and the client site are obviously on different domains.

I'm guessing that I could use a secure iframe (using https) to display our checkout system.

Would this iframe actually be secure?

Is the a sensible thing to do? (my gut says no, as how can the user tell the page is secure)

Are there any better ways to achieve this same functionality?

Answer 1

Yes, the iframe would be secure, but you're correct that the customer wouldn't actually be able to tell that it's secure. On the other hand, most users can't tell if a page is secure anyway - a few images of padlocks scattered around will convince most of them.

Could you, when they click to pop out the checkout, send them to the same url under HTTPS then pop it out (you'd need your own SSL certificate of course)?

Answer 2

Have you seen how other similar checkout systems work? For example the paypal checkout on ebay? They take you trough the checkout process "full screen" and back to the original site when the transaction is complete.