Secure service for receiving sensitive information through nested iframes

What is claimed is: 1. A method, comprising: receiving a request to enter sensitive information, the request received from a webpage rendered on a client device, the request includes a first access token; invoking a user interface host to validate the first access token provided in the request, the user interface host invoked using a first iframe; validating the first access token provided in the request using the user interface host, the validating of the first access token causes retrieval of a second access token by the user interface host for accessing a secure zone; invoking a vault host within the secure zone using the second access token, the vault host in the secure zone used to validate the second access token; and receiving a response from the vault host in the secure zone, in response to validating the second access token, the response including a command to allow access to one or more fields on the webpage for entering the sensitive information, the response forwarded to the client device for processing to allow access to the one or more fields on the webpage, wherein the response is provided to the first iframe through a second iframe and a third iframe that are hosted within the secure zone, the third iframe being nested within the second iframe, the third iframe being accessed by invoking the second iframe, wherein method operations are performed by one or more processors. 2. The method of claim 1 , wherein the invoking of the vault host within the secure zone is performed by the user interface host. 3. The method of claim 1 , wherein the second iframe and the third iframe are different from the first iframe, and wherein the second iframe is nested within the first iframe. 4. The method of claim 1 , wherein the second iframe and the first iframe are hidden from view on the webpage. 5. The method of claim 1 , wherein the third iframe is rendered as content by a browser on the webpage. 6. The method of claim 1 , wherein the third iframe is rendered in a popup window. 7. The method of claim 1 , wherein the user interface host is one or more of a virtual server or a non-virtual server hosted by a cloud service provider. 8. The method of claim 1 , wherein the vault host within the secure zone includes one or more servers that are not virtual servers. 9. The method of claim 1 , wherein the one or more fields are part of a user interface form rendered by a native mobile application. 10. The method of claim 1 , wherein the one or more fields are part of a user interface form rendered by a browser on the webpage. 11. A non-transitory computer-readable medium having program instructions defined thereon for executing a service for receiving sensitive information, a user interface configured for using the service, the program instructions including: program instructions for receiving a request for entering the sensitive information from the user interface hosted by a server outside a secure zone, the request being received by a server within the secure zone through a third, second, and first iframes, the second iframe being invoked upon successful validation of an access token received with the request, the first iframe being invoked upon successful validation of a secure zone access token received via the second iframe, wherein the third iframe is hosted by the server outside the secure zone and the first and the second iframes are hosted by the server within the secure zone, the first iframe nested within the second iframe and the second iframe nested within the third iframe; program instructions for hiding the second and the third iframes from view in the user interface; and program instruction for forwarding a command using the first iframe to the third iframe through the second iframe to display at least one field of a form on the user interface for receiving sensitive information on the user interface. 12. The non-transitory computer-readable medium of claim 11 , wherein the program instructions for receiving the request further includes, program instructions for validating the request; and program instructions for invoking the server inside the secure zone using the third iframe and passing the access token and other data provided in the request, upon successful validation of the request. 13. The non-transitory computer-readable medium of claim 11 , wherein the server outside the secure zone is a virtual server hosted by a cloud service provider. 14. The non-transitory computer-readable medium of claim 11 , wherein the sensitive information comprises payment card information. 15. The non-transitory computer-readable medium of claim 11 , wherein program instructions for processing the request are configured to receive the request from a native mobile application or a web browser. 16. A non-transitory computer-readable medium having program instructions defined thereon for executing a service for receiving sensitive information, a user interface configured for using the service, the program instructions including: program instructions for receiving a request for entering sensitive information, from the user interface hosted by a server outside a secure zone, the request being received by a server within the secure zone through a third, second, and first iframes, the second iframe being invoked upon successful validation of an access token received with the request, the first iframe being invoked upon successful validation of a secure zone access token received via the second iframe, wherein the first iframe is nested within the second iframe and the second iframe is nested within the third iframe; program instructions for hiding the second and the third iframes from view in the user interface; and program instruction for forwarding a command using the first iframe to the third iframe through the second iframe to display at least one field of a form on the user interface for receiving sensitive information on the user interface. 17. The non-transitory computer-readable medium of claim 16 , wherein the third iframe is hosted by the server outside the secure zone and the first and the second iframes are hosted by the server within the secure zone.