On Sat, Jun 09, 2012 at 02:34:03PM -0700, Scott Howard wrote:
On Sat, Jun 9, 2012 at 12:12 PM, Wayne E Bouchard <web@typo.org> wrote:
The main weakness of CVV2 these days is "form history" in browsers. (auto complete).
Any website requesting a CVV2 in a form field without the form history/autocomplete being disabled is in breach of PCI compliance, and risks losing their ability to accept credit cards.
And convenience trumps pseudo-security yet again; Chrom(ium) asks me if I want to save my CC details when I put them in (to which I tell it not just "no", but "are you *nuts*?"); presumably this is on forms which include autocomplete=off, since it happens often enough. So I would assume that this PCI compliance tickbox is being ignored by browsers. Whee! - Matt -- Ruby's the only language I've ever used that feels like it was designed by a programmer, and not by a hardware engineer (Java, C, C++), an academic theorist (Lisp, Haskell, OCaml), or an editor of PC World (Python). -- William Morgan