Mar
16
Please don’t display my CVC2 number on your order confirmation page
Posted (db) in PCI, security on March-16-2009

I ordered a set of tickets for an event this summer from a website and was surprised to see my clear text CVC2 (CVC2 is for Mastercard, CVV2 is for VISA).

3-16-2009 8-25-45 AM

Not a real good design, in my opinion, to display the entered card security code :(

No related posts.
   Read More   

Comments:
Anton Chuvakin on March 16th, 2009 at 10:22 am #

>tickets for the event

So, why not disclose the merchant name? Public shaming never hurts…

db on March 16th, 2009 at 10:39 am #

Anton: Thanks for the comment, The Tickets were for LEGOLAND Discovery Center Chicago – here is a link to the checkout that I used: http://tinyurl.com/cwmujn – which is powered by Advanced Reservation Systems.

Sandeep on March 19th, 2009 at 10:55 am #

I’d be more scared if they were storing the CVC2/CVV2 fields as plain-text in their database!

Post a comment
Name: 
Email: 
URL: 
Comments: