SmartScreen blocking our company page for accepting payments

Dylan Pomeroy 21 Reputation points


I work at a company that enables business owners to invoice their customers for products and services and accept payments online. This process involves sharing a link to a payment page for a particular invoice that the customer can use to make a credit card payment.

Recently several customers have reported seeing a red SmartScreen box appear over our credit card payment form, which is being hosted via iframe from a PCI-compliant environment in AWS. This has affected several of our merchants, and we are unable to reproduce the issue as the SmartScreen box seems to be based on factors we can't control for (location, operating system, smartscreen settings, etc.)

Are there any steps we can take to prevent or reduce the occurrence of this false-positive SmartScreen overlay? I'm uncertain if there is an allow-list for SmartScreen that we can get certified to, or if there is a way to identify what behaviour on the page is causing SmartScreen to be shown so that we can take steps to remedy.

Thanks in advance for anyone who is able to help! :)

Dylan Pomeroy

Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,811 questions
0 comments No comments
{count} votes

Accepted answer
  1. Teemo Tang 11,366 Reputation points

    Hi Dylan,
    If I am a website owner, what can I do to help minimize the chance of my website being flagged by Microsoft Defender SmartScreen?
    There are several things you can do that can help minimize the chance of your site being flagged as suspicious. Think of these as best practices or optimal website design ethics.
    If you ask users for personal information, use HTTPS with a valid, unexpired server certificate issued by a trusted certification authority.
    Make sure that your webpage doesn't expose any cross-site scripting (XSS) vulnerabilities. Protect your site by using anti-cross-site scripting functions such as those provided by the Microsoft Anti-Cross Site Scripting library.
    Use the fully-qualified domain name rather than an IP-literal address. (This means a URL should look like "" and not "")
    Don't encode or tunnel your URLs unnecessarily. If you don't know what this means, you probably aren't doing it.
    If you post external or third-party hosted content, make sure that the content is secure and from a known and trusted source.

    Besides, Report your company website here


    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    1 person found this answer helpful.
    0 comments No comments

0 additional answers

Sort by: Most helpful