Checkout.com

Overview

Checkout.com is a global payment infrastructure provider processing card payments, digital wallets (Apple Pay, Google Pay), and local alternative payment methods across 150+ currencies. Founded in 2012 and headquartered in London, it serves high-volume merchants including direct-to-consumer brands, marketplaces, and financial services platforms. Its browser-side integration — the Frames SDK — renders a PCI-compliant, hosted card entry experience directly on the merchant's checkout page, removing card data from the merchant's domain scope entirely.

Checkout.com holds PCI DSS Level 1 certification and processes payments under acquiring licenses in the UK (FCA-regulated), EU (Central Bank of Ireland), and US, among other jurisdictions. Merchants integrate the Frames SDK via a JavaScript tag loaded from Checkout.com's CDN.

What This Script Does

Script loading: cdn.checkout.com/js/framesv2.min.js (primary Frames v2 library) or legacy cdn.checkout.com/js/frames.js. The script is loaded from cdn.checkout.com and initializes on pages containing payment forms.

Iframe-based card capture: Frames renders three isolated iframes — card number, expiry date, and CVV — each hosted on checkout.com's domain. This iframe architecture means the merchant's JavaScript never has access to raw card data, maintaining PCI DSS scope isolation. Card data is tokenized server-side and a non-sensitive payment token is returned to the merchant.

3D Secure authentication: For transactions requiring 3DS (Mastercard SecureCode, Visa Secure), the SDK either embeds an authentication iframe or redirects to the card issuer's authentication URL, handling the full authentication exchange transparently.

Cookies and session data:

• cko-session — First-party session cookie (Checkout.com domain), session duration, manages transaction state and correlates payment attempts with backend processing records.
• cko-device / device fingerprint tokens — Set to support fraud detection and 3DS device binding; may persist for up to 30 days on the Checkout.com domain.
• Risk signals: Browser characteristics (user agent, screen size, timezone, language), IP address, and behavioral signals during card entry are transmitted to Checkout.com's fraud scoring engine.

Network requests: All payment data flows to api.checkout.com over TLS. No data is sent to third-party ad networks.

Consent & Compliance

Checkout.com falls under the essential consent category for all standard payment processing integrations.

• GDPR/ePrivacy: Payment processing cookies are strictly necessary to complete a transaction explicitly requested by the user. They qualify for the Article 5(3) ePrivacy exemption for technically necessary cookies. The fraud detection data processing is justified under Article 6(1)(b) GDPR (contractual necessity for a payment service) and Article 6(1)(f) (legitimate interest in fraud prevention).
• CCPA/CPRA: Payment data is processed to fulfill a consumer-initiated transaction and qualifies under the service provider exemption. Merchants must list Checkout.com as a payment processor in their privacy policy.
• Data transfers: Checkout.com is subject to GDPR as a UK-based data processor. Post-Brexit UK data transfers rely on the UK Adequacy Decision. Checkout.com maintains Standard Contractual Clauses for EU-US data transfers and participates in the EU-US Data Privacy Framework.
• PCI DSS: Checkout.com is a Level 1 PCI DSS certified service provider. Merchants using Frames reduce their own PCI scope to SAQ A.

Should You Block This Without Consent?

No. Checkout.com scripts are strictly necessary for completing payment transactions initiated by the user. The session and fraud prevention cookies qualify for the strictly necessary exemption under ePrivacy and GDPR. Blocking these scripts would prevent checkout completion entirely. No consent gate is required.