[FX.php List] Secure Credit Card forms/procedures
Dale Bengston
dbengston at tds.net
Wed Sep 15 12:54:37 MDT 2010
Absolutely require the old password to change the password. This prevents others from changing a password on a logged-in but absent user. Always use bullets on password display. Always. The only time I would display the actual password entered is... never.
Display the cc on input, but use bullets and last-4 for display later. I don't think I'd allow editing; I'd allow new cards to be added and the old ones deleted rather than a direct-modify.
Dale
On Sep 15, 2010, at 12:55 PM, Jonathan Schwartz wrote:
> Hi Folks,
>
> In the never-ending list of subjects not covered in FMP Web Publishing 101, ;-), I am being tossed to and fro by client requests to "fix" security issues on forms such as password change and credit card entry/edit, often after one of their clients complains...and "fix" them back when another client complains in the other direction.
>
> Sample issues:
>
> Passwords:
> - Require original password to change to new password, or not?
> - Display password on screen during entry or use bullets?
>
> Credit Cards
> - Display CC# during entry or use bullets, or one of those bullets+last digit entered routines.
> - Which fields to re-display for editing, versus forcing re-entry
>
> These can be argued either way in a security versus ease of use discussion.
>
> What resources do you use for design standards and to be able to demonstrate that the design *is" secure.
>
> Ultimately, I would like to adopt the right level of security...and then be able to back it up if/when challenged.
>
> Thanks
>
> Jonathan
>
>
>
>
> --
> Jonathan Schwartz
> Exit 445 Group
> jonathan at exit445.com
> http://www.exit445.com
> 415-370-5011
> _______________________________________________
> FX.php_List mailing list
> FX.php_List at mail.iviking.org
> http://www.iviking.org/mailman/listinfo/fx.php_list
More information about the FX.php_List
mailing list