VP-ASP :: Shopping Cart Software

Shopping Cart Software Solutions for anywhere in the World

US/Canada(Toll Free): +1 888 587 2278
Europe/UK: +44 (020) 7193 9408
Australia/New Zealand: +61 3 9016 4497

VP-ASP Shopping Cart Customer Forum

Home | Profile | Register | Active Topics | Members | Search | FAQ
Username:
Password:
Save Password
Forgot your Password?

 All Forums
 VPCart Forum
 General help me questions
 Credit cards stored in browser fields
 New Topic  Reply to Topic
 Printer Friendly
Author Previous Topic Topic Next Topic  

Alina
Starting Member

Canada
20 Posts

Posted - October 03 2005 :  14:29:29  Show Profile  Visit Alina's Homepage  Reply with Quote
Hi Everyone

I have had quite a week. My host had a major crash, and reverted to backups, causing my database to be marked as read-only, and blocking my shipping and payment ports.

Just today I noticed another problem (that I don't believe ever happened before all this) my credit card processing page (I use psicomcheckout.asp) is storing card numbers (and expiry dates, and CVN's) in the fields. So that if you double click on the field you can bring up card numbers that have been entered in the past)

I know that this is a new problem, because I only have 2 card numbers available now in the list (both from recent entries) and none from entries before the big crash.

This is certainly a security issue. - but I don't understand how it could have happened.

devshb
Senior Member

United Kingdom
1898 Posts

Posted - October 03 2005 :  17:04:21  Show Profile  Visit devshb's Homepage  Reply with Quote
that'll just be a browser setting, where your browser stores field values in its history that you've entered before; those values/histories won't be available on other people's pcs (ie it's not stored server-side, just in your browser history)

because of browser history, whenever using a shared pc you should always clear out all your cookies, history, and temp-internet-files before leaving the pc.

Simon Barnaby
Developer
[email protected]
www.BigYellowZone.com
Web Design, Online Marketing and VPASP addons
Go to Top of Page

Alina
Starting Member

Canada
20 Posts

Posted - October 04 2005 :  12:32:28  Show Profile  Visit Alina's Homepage  Reply with Quote
There must be something you can do to override this, that is hard-coded on the page. When I go to my online banking, my card number is not stored there. I'm not worried that other people will see the ones I enter, I am worried that if more than one person use a computer they could see each other's card#s, ie. A Parent enters their card#, their child could get it by going to the same page, and double clicking the field. And this would reflect badly on my site.

Go to Top of Page

apswater
VP-ASP Super User

317 Posts

Posted - October 04 2005 :  13:23:09  Show Profile  Visit apswater's Homepage  Reply with Quote
You should be using a gateway and not storing any credit cards on your site. That fixes that problem and the hacks that will come one day.

Go to Top of Page

devshb
Senior Member

United Kingdom
1898 Posts

Posted - October 04 2005 :  16:45:58  Show Profile  Visit devshb's Homepage  Reply with Quote
I don't think there's anything you can do about it as far as coding goes; it's a browser setting which you can't override with your own code.
Banks probably get round it by having explicit timeouts on their pages/sessions and by doing things like creating different urls for each visit and dynamically named fields.

I'd echo aspwater's comments that security for cards is best left to the gateway providers, because there are such a huge number of security implications for capturing card numbers on your site that you're just asking for trouble unless you use a gateway.

Don't forget that if you're capturing cards yourself then potentially you're not just liable for your own losses, but you're also potentially liable for the losses of people whose cards get stolen via your site.

If you are capturing cards on your site, then really you need to employ a full time person to ensure that things are always kept 100% secure and that all relevant laws are abided by and all relevant safeguards are implemented, because it's a huge liability.

But I might be on the wrong track; it might be that psicheckout is pointing to a gateway-card-entering page and not just a gateway-card-processing page, in which case you'd need to contact the psi people.

If you're using a shared pc between the family, then you should be using a different profile/user for each person, and then those details won't be available to the other users.

If you're using a shared pc with the public then you should be answering "no" to any "do you want to remember....?" questions and cleaning out the history/cookies/temp-files before leaving.

Simon Barnaby
Developer
[email protected]
www.BigYellowZone.com
Web Design, Online Marketing and VPASP addons

Edited by - devshb on October 04 2005 17:09:28
Go to Top of Page
  Previous Topic Topic Next Topic  
 New Topic  Reply to Topic
 Printer Friendly
Jump To:
Snitz Forums 2000