| Author |
 Topic  |
|
|
Alina
Starting Member
Canada
20 Posts |
 Posted - October 03 2005 : 14:29:29
|
Hi Everyone
I have had quite a week. My host had a major crash, and reverted to backups, causing my database to be marked as read-only, and blocking my shipping and payment ports.
Just today I noticed another problem (that I don't believe ever happened before all this) my credit card processing page (I use psicomcheckout.asp) is storing card numbers (and expiry dates, and CVN's) in the fields. So that if you double click on the field you can bring up card numbers that have been entered in the past)
I know that this is a new problem, because I only have 2 card numbers available now in the list (both from recent entries) and none from entries before the big crash.
This is certainly a security issue. - but I don't understand how it could have happened.
|
|
|
devshb
Senior Member
United Kingdom
1904 Posts |
Posted - October 03 2005 : 17:04:21
|
that'll just be a browser setting, where your browser stores field values in its history that you've entered before; those values/histories won't be available on other people's pcs (ie it's not stored server-side, just in your browser history)
because of browser history, whenever using a shared pc you should always clear out all your cookies, history, and temp-internet-files before leaving the pc.
Simon Barnaby
Developer
[email protected]
www.BigYellowZone.com
Web Design, Online Marketing and VPASP addons |
 |
|
|
Alina
Starting Member
Canada
20 Posts |
Posted - October 04 2005 : 12:32:28
|
There must be something you can do to override this, that is hard-coded on the page. When I go to my online banking, my card number is not stored there. I'm not worried that other people will see the ones I enter, I am worried that if more than one person use a computer they could see each other's card#s, ie. A Parent enters their card#, their child could get it by going to the same page, and double clicking the field. And this would reflect badly on my site.
|
|
|
|
apswater
VP-CART Super User
444 Posts |
Posted - October 04 2005 : 13:23:09
|
You should be using a gateway and not storing any credit cards on your site. That fixes that problem and the hacks that will come one day.
|
|
|
|
devshb
Senior Member
United Kingdom
1904 Posts |
Posted - October 04 2005 : 16:45:58
|
I don't think there's anything you can do about it as far as coding goes; it's a browser setting which you can't override with your own code.
Banks probably get round it by having explicit timeouts on their pages/sessions and by doing things like creating different urls for each visit and dynamically named fields.
I'd echo aspwater's comments that security for cards is best left to the gateway providers, because there are such a huge number of security implications for capturing card numbers on your site that you're just asking for trouble unless you use a gateway.
Don't forget that if you're capturing cards yourself then potentially you're not just liable for your own losses, but you're also potentially liable for the losses of people whose cards get stolen via your site.
If you are capturing cards on your site, then really you need to employ a full time person to ensure that things are always kept 100% secure and that all relevant laws are abided by and all relevant safeguards are implemented, because it's a huge liability.
But I might be on the wrong track; it might be that psicheckout is pointing to a gateway-card-entering page and not just a gateway-card-processing page, in which case you'd need to contact the psi people.
If you're using a shared pc between the family, then you should be using a different profile/user for each person, and then those details won't be available to the other users.
If you're using a shared pc with the public then you should be answering "no" to any "do you want to remember....?" questions and cleaning out the history/cookies/temp-files before leaving.
Simon Barnaby
Developer
[email protected]
www.BigYellowZone.com
Web Design, Online Marketing and VPASP addons
Edited by - devshb on October 04 2005 17:09:28 |
|
|
| |
Topic |
|
All Forums
Credit cards stored in browser fields
New Topic
Printer Friendly
TrustGuard - PCI Security Scanner
