So your payment gateway web screen has this X-Frame-Options: SAMEORIGIN?
They must also have Content-Security-Policy (CSP) defined then.
Otherwise no web can embed their payment gateway screen.
Visit this URL: https://headers.cloxy.net/
Type your payment gateway url, and tick the "I'm not a robot" (verify you're a human if needed)
Look for headers:
- content-security-policy
- x-content-security-policy
- x-webkit-csp
Look for asterisk (*) character in their CSP frame-ancestors, that indicates it allows to be embedded on any domain.
For most modern browsers (Chrome/Firefox/Edge), it will prioritize CSP over X-Frame-Options.
For Safari though, you're doomed because Safari prioritized X-Frame-Options over CSP, so you need to ask the payment gateway to remove the X-Frame-Options from their webpage.
Ref:
https://www.outsystems.com/forums/discussion/49280/how-to-remove-x-frame-options-safari-ios-embedding-problem/
https://stackoverflow.com/questions/54463608/how-to-fix-safari-ignoring-content-security-policy-when-x-frame-options-are-spec
Problem is that Safari 12 as of January 2019 still prioritizes X-Frame-Options over Content-Security-Policy.