In a recent question to the PCI DSS Guru, Gareth asked:

We have a secure web page that is server out from a secure PCI server. Can this be served out in a new browser window or embedded as a frame? Does the URL need to be displayed to prove it is secure (e.g. https://….)?

That’s a good question, Gareth. The PCI DSS standard doesn’t speak to whether your webpage must be “obviously secure” to your customers. If the server publishing the page is operating within the confines of the standard and you are following the encryption requirements of PCI DSS Section 4.1, you are probably in good shape as far as the regulation goes.

That said, you should also think about this from a marketing perspective.

Consumers are savvy and many have been well-trained to look for the signs of a secure website before entering sensitive information. If you embed your secure content within a page that contains insecure content, it defeats the mechanisms users are trained to spot. As you point out, you won’t have “https” at the beginning of your URL and you won’t have the “lock at the bottom of the screen” that users expect to see on a secure site.

I would suggest that you avoid these activities to make sure that your site is not only secure, but that it also gives the appearance of being secure. After all, perception is reality!