Being Secure in Facebook
We at Milyoni are asked this often, “Are you secure in your transaction in Facebook?”
Our quick answer is rest assured you are secure, as you are not only secure with the walls of Facebook but also in the ifanstore. In designing the ifanstore we use the “iframe” mode in a browser under Facebook or any Social Network. The meaning of an “iframe” needs to start with the understanding of a “frame” in your favorite browser. The “frame” allows your browser window to be split into segments, each of which can show a different document, our case we show ifanstore. This allows for lower bandwidth use, as repeating parts of a layout can be used in one frame, while variable content is displayed in another. This allows us to have the Facebook part of the frame to not be refreshed and allows us to serve our pages fast and reliable for ifanstore. Here ifanstore is the “iframe”, which technically is actually called “Inline Frames” are windows cut into your webpage that allow your to view another page on a site or off another site without reloading the entire page. For the ifanstore the parent frame is a Social Networking site like Facebook, MySpace or Bebo and the iframe is the ifanstore. Below you can see the browser link is a Facebook location of the ifanstore, but the “iframe” is pointing at our secured HTTPS page to being the transaction of a purchase.
So take me though this. So in Facebook, as example, you typically logon into Facebook to start. Secondly, when you enter our ifanstore our product pickups the default parent mode of HTTP. When you are done selecting products and starting to check out the HTTPS pages are secured (SSL) links with a GoDaddy.com Web Server Certificate. So the “iframe” here is secured down and we present the 
“lock’ icon on HTTPS pages. We also designed all the transactions in the ifanstore from each step (#1 – Billing and Shipping Information, #2 – Shipping Method, #3 – Transaction, #4 Completion and Registration) to be protected with up to 256-bit Secure Socket Layer encryption. Traditionally most ecommerce website do not secure steps #1, #2 or Registration, but we do to protect our trust with our consumers.
But still, “Your address does not show as HTTPS?”
Again for the URL in the browser input area does not showing HTTPS, that is correct and is by design. Remember we are an “iframe” embedded inside of Facebook (or a Social Network) and we don’t expose those links visually. We believe this is actually more secure as the customer never sees the links presented to them, nor can questionable screen scraping technologies grab your URL link. If you wish to feel safe, actually anytime in a browser, hover over the area of concern and right click to properties. This is the best way to understand where the page is being served from. Milyoni always wants to understand the worries of the consumers or partners, so feedback is always important. So I hope this helps your understanding of frame vs. iframe and how Milyoni is securing your transaction better than first scene (seeing is not believing in this case!). – JL
Social Entertainment Blog | Milyoni Blog 
Thank you for addressing this. I am curious to know if you follow PCI standards and if there have been any concerns raised around this specific topic. Also, what the possibilities for Facebook IFrame hacks? Is there a chance that I could have a Facebook Profile hack that could use the same cross-domain approach Facebook is using to record a credit card number?
Security of our stores is now both the client and our personal responsibility. Shopping cart software is first and foremost about security. Milyoni with our base source code is proud to be one of the few eCommerce applications to be both PA-DSS (Payment Application-Data Security Standard) and PCI compliant. As we are hosting our own ifanstore on a Rackspace Cloud architectures, using a PA-DSS eCommerce system is no longer something that is simply “nice to have.”
All our partnering merchants faced a July 1, 2010 deadline (a deadline imposed by PCI SSC and all major credit card companies), at that time the systems they use to process credit card transactions must be “PA-DSS compliant;” meaning they must comply with new data security standards established by the PCI SSC (Payment Card Industry Security Standards Council). Merchants not using PA-DSS compliant systems by that date cannot technically be compliant with PCI standards and will be in danger of losing their merchant account; i.e., their right to accept credit card transactions (though this may only be discovered via a “forensic” assessment after a security breach).
PA-DSS represents a very specific set of requirements that systems must meet if they are to be used in processing credit cards. Systems must be audited by a PCI DSC approved assessor who will assign a “pass” or “fail” to the application. Those that pass will be put on an official list of PA-DSS compliant applications (available online at http://www.pcisecuritystandards.org).
For the Facebook questions there are always a possibility of someone hacking a website. The ability to be presented within a Facebook iframe does allow us to monitor the entrance of the user down to their profile even in a possible hack and deny access. So lets say you have a blacklist country and that profile matches that information we can deny entrance to our store. Another possiblity in Facebook is a fake profile, but we scan IP addresses and if the profile and the IP address of the client is very strange we can close the store. As we allowing the entrance to the store allows us to also defend the Facebook iframe and our stores. Our partnership with Facebook allows us alot of application data so hopefully we can work to stay safe and secure.
For the question around credit card numbers we pass them to a payment vendors, we do not store this information nor use the Faceook Credit system as this is only for virtual goods offerings.