Paymentus iFrame Notification

Owned by Knowledge Assistant
Last updated: Aug 21, 2024
2 min read



Description of Issue

We have received an email from Paymentus regarding a change to their security settings. Do we need to take any action? Will this impact CSS?



Context

  • Paymentus

  • CSS

  • Citizen Self Service



Cause

Paymentus is a supported payment gateway for Munis Citizen Self Service. Paymentus is locking down the ability for their pages to be embedded into an iframe, which allows a webpage to be embedded into another webpage. This functionality can be exploited by unethical websites to obscure malicious content.



Resolution

This change by Paymentus will not impact standard deployments of Munis Citizen Self Service (CSS). This change only impacts websites hosted within an iframe, which would be a custom setup. Tyler does not configure CSS to be hosted within an iframe, so any customizations would be the responsibility of the client to support.



Additional Information

The following is the notification Paymentus has emailed to clients regarding this change:


Dear Valued Client,

In an effort to maintain our security position, we would like to inform you of an upcoming change to how you connect to the Paymentus application in our UAT environment. This change will go into effect for UAT at 6 p.m. ET on Tuesday, August 23, 2022 and only impacts clients using an iframe. After the change is made, you will not be able to connect to our application via iframe unless your UAT parent URL is allowed on the Paymentus side. A parent URL is a website that is used to display or embed the Paymentus iframe. Additionally, this change will go in effect for our production environment at 6 p.m. ET on Thursday, September 22, 2022.

We recommend sharing this information with your IT Team to ensure continued connectivity to our UAT and production environments.


What action needs to be taken?


If you are using iframe, you will need to provide your UAT and production parent URLs and domains to Paymentus, so they can be allowed by our team no later than Tuesday, August 16, 2022, in order to maintain connectivity to the Paymentus environments. If you have not previously requested exclusions for your domains, please submit the information to your Account Manager directly, using the following form:

  • Client Name:

  • UAT parent URL/domain:

  • UAT Paymentus iframe URL:

  • PROD parent URL/domain:

  • PROD Paymentus iframe URL:

If multiple domains are used in the parent URLs please ensure to specify all the domains that invoke Paymentus applications in an iframe.

Please note that all clients using our application via iframe must include “iframe=true” in the iframe source https URL to ensure the page is served appropriately.

If you have any questions, please reach out to your dedicated Account Manager or contact our Customer Service team at 800-420-1663 or customercare@paymentus.com. Our Customer Care associates are available to assist you Monday through Friday, 8 a.m. to 10 p.m. EST and Saturday and Sunday, 8 a.m. to 5 p.m. EST.

Thank you for your continued partnership with Paymentus.