A website I work on processes online payments in the UK. Part of this includes a payer-authentication step (aka 3dsecure) - here, the payment provider communicates with the bank's PA provider within an iframe; the customer enters a secret, that's verified, and if all goes well our site receives a response.
Because it happens inside an iframe, and doesn't touch our site, it's opaque to us. Are there any tricks that we could use to
so we can wrap some monitoring around this stage of the process?
Since the name of 3D Secure stands for 3 domains involved ,the iframe cannot be of your own, hence you have no visibility what is happening whatsoever. That is the security model, any existing workarounds would mean it's flawed. Some payment providers prefer full-window redirection, which is even more restrictive.
There were some bugs that 'leaked' keyboard events across iframes, but again, that's just an exception.
The only thing you can rely on are the result redirections - your success/failure landing pages, and perhaps server-to-server notifications from the ACS (Access Control Server)/your 3ds provider, if available.