I am implementing HostedPayment using an embedded frame. while integrating I have noticed that the generated token is available on the parent page which can be easily manipulated with a different token. As the form and iframe are on the same page so anyone can manipulate the HTML through the inspect the element and inject another token instead of a real one with a different merchant id and all the payment will move to that merchant account. below is the form which your document says to implement. could you please look into it?