[FX.php List] Secure Credit Card forms/procedures

Dale Bengston dbengston at tds.net
Wed Sep 15 12:54:37 MDT 2010


Absolutely require the old password to change the password. This prevents others from changing a password on a logged-in but absent user. Always use bullets on password display. Always. The only time I would display the actual password entered is... never.

Display the cc on input, but use bullets and last-4 for display later. I don't think I'd allow editing; I'd allow new cards to be added and the old ones deleted rather than a direct-modify.

Dale

On Sep 15, 2010, at 12:55 PM, Jonathan Schwartz wrote:

> Hi Folks,
> 
> In the never-ending list of subjects not covered in FMP Web Publishing 101,  ;-), I am being tossed to and fro by client requests to "fix" security issues on forms such as password change and  credit card entry/edit, often after one of their clients complains...and "fix" them back when another client complains in the other direction.
> 
> Sample issues:
> 
> Passwords:
> 	- Require original password to change to new password, or not?
> 	- Display password on screen during entry or use bullets?
> 
> Credit Cards
> 	- Display CC# during entry or use bullets, or one of those bullets+last digit entered routines.
> 	- Which fields to re-display for editing, versus forcing re-entry
> 
> These can be argued either way in a security versus ease of use discussion.
> 
> What resources do you use for design standards and to be able to demonstrate that the design *is" secure.
> 
> Ultimately, I would like to adopt the right level of security...and then be able to back it up if/when challenged.
> 
> Thanks
> 
> Jonathan
> 
> 
> 
> 
> -- 
> Jonathan Schwartz
> Exit 445 Group
> jonathan at exit445.com
> http://www.exit445.com
> 415-370-5011
> _______________________________________________
> FX.php_List mailing list
> FX.php_List at mail.iviking.org
> http://www.iviking.org/mailman/listinfo/fx.php_list



More information about the FX.php_List mailing list