Test whether the merchant dashboard and payment pages are frameable. Missing X-Frame-Options or inadequate frame-ancestors CSP directives on sensitive pages can enable clickjacking attacks.