Best way to Build PHP Embedded Payment Frame

I need recommendations for how to build a form/frame that could be embedded within any website that could be used to process a registration and payment.

I know at one time iFrames were designed for this purpose but there are much better ways of doing this and that's where I'm looking for insight.

Here's the back story.
I have a stand-alone registration website that handles very complex needs (housing, group payments, custom questions, multiple payment methods, etc.). For complex events, they really need to come to my site. But for some events that are quite simple, I could write a basic API that would allow interaction between the client site and my site by means of an API.

How I envision it working.
What I would like is that I could give some simple code to a client who would place that code on their page. That code would initiate a command that would read the data from my site via an API interface. Any interaction on the client side would be processed back to my site. So it would look like they never left the client site.

I'm not a javascript expert but I would expect that is how this would be done.

Any expert advice for how I should proceed with this would be appreciated. Thanks.
Paul KonstanskiProject SpecialistAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Ray PaseurCommented:
This is not an answer, but please be mindful of the rules about handling money online.  If you give someone else a bit of JavaScript and they install it in a page that uses HTTP (not HTTPS) you could run afoul of PCI compliance.
Paul KonstanskiProject SpecialistAuthor Commented:
Thanks for that insight. The API won't even work without an https connection, but thanks for the reminder.
Ray PaseurCommented:
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Julian HansenCommented:
I know at one time iFrames were designed for this purpose but there are much better ways of doing this
Sounds like iFrame is a good candidate - why do you not want to use it?
greetings pkonstan1, , establishing a mostly "secure" sign-in and payment set up, can have many, many security weaknesses, if you are unaware of the factors that are needed to handle attempts to do profitable attacks on your code base, especially on browser side (javascript) api communications. Many that do an api for sign-in, payment etc, only do the api through server communications in an encrypted exchange (i.e https). The iframe, may be able to have the client page, directly access your https "stand-alone registration website" and use already tested pages for this operation. I can not tell you, that it is not possible to have this effectively done in javascript, with a security level equal to your data's "money" value  security needs, but it does require some knowledge about what can be included and what is a risk.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Here is a page that talks about a FEW factors to consider, in seting up a browser comm (ajax in this case) to REST api server -

this just talks about a few of the security factors to consider, for the questioners specific requirements.

It really does not mention other factors, that may or may not matter to your REST exchange (depending on how you do it).

But keep in mind, that coders that try profitable attacks, are very experienced in this sort of thing, and may set up two or more (fake) accounts in your User system, so that they can access your exchanges with proper credentials, to try and "recognize" holes in your security, from the methods employed in the stages of your operations.
Paul KonstanskiProject SpecialistAuthor Commented:
I was able to figure out a solution, but I still need to do some work before I finally publish it. I may come back and update this answer once I have it figured out. The security solutions presented are all important.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.