As someone who dealt with payment iframes in SPAs I'm so happy I don't have to use any iframes nowadays. There are a few articles how you can "kind of track" when the iframe caused extra history entries then you need to increase your back navigation by the count of them, it was a mess back in the days so not sure how is it solved nowadays.

Today you can still use iframes but most gateways now provide a tokenization api that provides the form to produce the tokenized cc. Afaik tokenized cc isn't falling under PCI.

My big issues with iframes is the checkout process which inevitably has to make callbacks to your api with the results of the transaction. If you're behind any sort of firewall (like most businesses are) you're in for a world of http pain.

The payment gateways still use iframes, they just don’t tell you that.

This is also why styling such forms is always some species of wonky.

The gateways I use don't, or at least give me the option not to.

Those iFrames cause all kinds of headaches when the user hits the back button or double clicks a submit button or does any number of other things that happen thousands of times a day on a moderately high traffic site, and when it messes up you either miss out on a sale (ouch) or charge the customer twice (double ouch).

> The gateways I use don't, or at least give me the option not to.

They usually don't tell you they do. For example, both Stripe and Square use iFrames; otherwise it's not possible to hide credit card entry from your main application.

There are gateways that redirect you away and return you back after payment, but that's a whole another story.

You're right, but it's worth noting that the iframes used today are better at hiding the fact that they're iframes, it's usually hidden behind an API call from a library that you import, and that doesn't affect your browsing history, or at least not as bad as those huge forms used in the past that would essentially replace the page you're on for the sake of paying.