Friday, September 9, 2016

Dear Credit Card taker - turn off autocomplete

This is a letter I sent today to <security certification organization>. As they have not had time to respond, I will protect their name. The *were* using https at least. I realize that there are different names for this with different browsers - AutoFill (Safari/Chrome), Auto Form Fill (Firefox), AutoComplete (Internet Explorer), but the concept is the same. Turning off this feature has been around since at least 2011. Also, it should be turned off for the CVV as well.

Dear <Security Certification Organization>
I am a new member. I registered today putting my credit card into your system to pay the annual dues. I then went back and added on-line training. I found it disturbing that an organization promoting and certifying security people would not have autocomplete turned off for credit cards being accepted on-line. This makes me question whether other security precautions have been taken and how much I should trust the <Security Certification Organization>'s web site.

Always, always set autocomplete="off" in the input tag. For example:
< input autocomplete="off" name="cc" type="text"  >

so, perhaps it might look like this (i have not validated this):
< input autocomplete="off" class="form-control" id="j_id0:j_id1:j_id2:j_id45:j_id46:j_id47:j_id48_11:j_id539:CreditCardNumber" maxlength="255" name="j_id0:j_id1:j_id2:j_id45:j_id46:j_id47:j_id48_11:j_id539:CreditCardNumber" onkeyup="toggleSelectedCreditCard(this);" pattern="[0-9]{13,16}" required="required" size="20" type="text" / >
Otherwise, if people have the form completion feature turned on their credit card number will be stored in plain text somewhere on the computer (in the registry, or elsewhere). This is especially dangerous if someone enters their credit card number from a public computer.

I have a screen shot showing that this is not turned off on your site, however, your form has no option to upload a file.

Thank you!

David Pitts
If I remember correctly, PCI-DSS requires this in sections 3.2.3 and 3.4 (page 17 of SAQD for Merchants, v3.0).

No comments: