First of all, the biggest concern is attack surface. If credit cards went through your server, any complex web application would have a number of locations where the CC would be logged in plaintext. In this case a compromise would not only make it possible to collect new credit cards as they are entered into the system, but also past credit cards in logs. Any of the three options: iframes, hosted pages, and recurly.js, reduce this attack surface, because credit cards never pass through your backend to be logged, and the Recurly backend being PCI level 1, clearly prevents them from ever being logged.
Now, if say your web application was vulnerable to a XSS attack on one of your payment pages, it would be just as easy to replace the iframe src, and spoof the CC processor's hosted page, as it would be to drop in some js that reads the value of input fields and tunnels them out to the attacker. On that note... even an integration as seemingly foolproof as linking to a third party hosted page is vulnerable to the same attack, by replacing the href of the link.
The takeaway is that Recurly.js removes as much of the PCI scope as we possibly could without us building and hosting your entire website. Also, watch out for XSS attacks, and don't let your server get rooted.
First of all, the biggest concern is attack surface. If credit cards went through your server, any complex web application would have a number of locations where the CC would be logged in plaintext. In this case a compromise would not only make it possible to collect new credit cards as they are entered into the system, but also past credit cards in logs. Any of the three options: iframes, hosted pages, and recurly.js, reduce this attack surface, because credit cards never pass through your backend to be logged, and the Recurly backend being PCI level 1, clearly prevents them from ever being logged.
Now, if say your web application was vulnerable to a XSS attack on one of your payment pages, it would be just as easy to replace the iframe src, and spoof the CC processor's hosted page, as it would be to drop in some js that reads the value of input fields and tunnels them out to the attacker. On that note... even an integration as seemingly foolproof as linking to a third party hosted page is vulnerable to the same attack, by replacing the href of the link.
The takeaway is that Recurly.js removes as much of the PCI scope as we possibly could without us building and hosting your entire website. Also, watch out for XSS attacks, and don't let your server get rooted.