On 14 Apr 2005 Chris Shiflett wrote: > When a user enters a credit card number, there may likely be a > verification step before the actual purchase is made. It's better to > keep this number on the server (in the session data store) than to > unnecessarily expose it over the Internet again (SSL mitigates the risk, > but an unnecessary risk is still worth avoiding). > > Being mindful of this, it's also helpful to not even display it to the > user, instead showing only the last four digits or something, because > this display also counts as exposure (since it's in the response).
There is one case where redisplaying the number (via https) makes sense to me -- when it fails a verification check. The obvious example is a simple check-digit error due to a typing error on the user's part. In this case the option is either expecting the user to retype the entire number every time they make a mistake, or accepting the -- to me minimal -- risk in sending it back for editing when redisplaying the form and error message. But doing that does require putting the CC # in some form into session storage (or some kind of storage) in the case where the processing / validation and display scripts are separate and the processing script needs to pass posted data back for redisplay. Re last four digits, I have notice that many sites seem to be going to showing the last five or six, first four plus last four, etc. Apparently people are finding that last four alone isn't sufficient for users to recognize the card. -- Tom -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
