[153657] in North American Network Operators' Group
Re: CVV numbers
daemon@ATHENA.MIT.EDU (Matthew Palmer)
Sat Jun 9 18:49:24 2012
Date: Sun, 10 Jun 2012 08:48:40 +1000
From: Matthew Palmer <mpalmer@hezmatt.org>
To: nanog@nanog.org
Mail-Followup-To: nanog@nanog.org
In-Reply-To: <CACnPsNXicPstDCkcVxvBqJaB-_+fhcqusv-8KzpM95WZRuszyQ@mail.gmail.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Sat, Jun 09, 2012 at 02:34:03PM -0700, Scott Howard wrote:
> On Sat, Jun 9, 2012 at 12:12 PM, Wayne E Bouchard <web@typo.org> wrote:
> > The main weakness of CVV2 these days is "form history" in browsers.
> > (auto complete).
>
> Any website requesting a CVV2 in a form field without the form
> history/autocomplete being disabled is in breach of PCI compliance, and
> risks losing their ability to accept credit cards.
And convenience trumps pseudo-security yet again; Chrom(ium) asks me if I want
to save my CC details when I put them in (to which I tell it not just "no",
but "are you *nuts*?"); presumably this is on forms which include
autocomplete=off, since it happens often enough. So I would assume that
this PCI compliance tickbox is being ignored by browsers. Whee!
- Matt
--
Ruby's the only language I've ever used that feels like it was designed by a
programmer, and not by a hardware engineer (Java, C, C++), an academic
theorist (Lisp, Haskell, OCaml), or an editor of PC World (Python).
-- William Morgan
