This issue comes from WICG/paymentrequest#30 and was discussed at the F2F.

The proposals made at the f2f would significantly impact the user experience for merchants. Many small or even large merchant use iframe in their payment processing to delegate to a 3rd party.

Today is is possible for iframe to request payments, so a move to the user agent mediated approach is a massive step in the right direction for security.

The user-agent can do lots to call out who the payment request is being made and we could even do things such as allow a merchant's website to nominate which iframes should be allowed to request payments.

In TAG review @triblondon said:

[This issue discusses] whether iframes should be able to request payment. It seems like a severe limitation to me to prohibit that mode of use.

We require a comprehensive proposal to address this use case that considers how a merchant may put an iframe into their site that is able to call the payments API but only with the explicit permission of the merchant.

We should also consider what user permissions should be required for this and consult with @w3c/webappsec-admin for guidance.