26
119
328
Conversation
1
4
Technically, they aren't who you should loop in. Because Expedia is a merchant, the entity initially responsible for this will be their acquiring bank.
1
3
If it is an iframe then there is no requirement for the original site to be encrypted to be compliant with PCI. At no stage does the cardholder's information go anywhere near the original site. It is sent directly to the payment processor.
2
So being able to trivially MITM has no bearing on compliance?