iframes with allowpaymentrequest attribute are allowed to make payment requests.

third_party/WebKit/LayoutTests/payments/resources/payment-request-in-iframe-nested-expect-failure.html

+<!DOCTYPE html>
+<meta charset="utf-8">
+<title>Test for PaymentRequest in an iframe</title>
+<script src="../resources/testharness.js"></script>
+<script src="../resources/testharnessreport.js"></script>
+<iframe allowpaymentrequest srcdoc="
+<!DOCTYPE html>
+<meta charset='utf-8'>
+<script>
+window.top.test(function() {
+    window.top.assert_throws({name: 'SecurityError'}, function() {
+        new PaymentRequest([{supportedMethods: ['foo']}], {total: {label: 'label', amount: {currency: 'USD', value: '5.00'}}});
+    }, 'If the ancestor iframe does not specify allowpaymentrequest, then throw a SecurityError.');
+});
+</script>
+"></iframe>