PCI Compliance and autocomplete="off"

LazyManc · 28 Feb 2008 at 10:19

Has anyone had to make a site PCI compliant to keep the bank happy?

They want autocomplete="off" on all form fields, which is ludicrous. I've tried arguing the toss about user-choice and valid xhtml but management have basically said do exactly what they're asking... no buts.

RobH · 28 Feb 2008 at 13:13

You could use JavaScript to set the attributes which would make it validate but you don't actually gain anything, you just trick the validator into thinking it's valid markup but in fact your setting a attribute that doesn't exist. The vast majority of sites don't validate anyway, as long as it works in most browsers the lack of validation shouldn't be an issue. The whole point of validation is to standardise webpage appearance across browsers but it often fails at that due to the differences between our current browsers.

akakjs · 28 Feb 2008 at 20:51

LazyManc said:
Has anyone had to make a site PCI compliant to keep the bank happy?

They want autocomplete="off" on all form fields, which is ludicrous. I've tried arguing the toss about user-choice and valid xhtml but management have basically said do exactly what they're asking... no buts.

Is this the bank asking you to change it, or a firm doing a PCI scan? If it's a firm ask your merchant bank to clarify if you really need to do this. If it's your merchant bank well that's pretty much argument over; but if you can prove it affects rendering of the page, you might be able to talk them round (crappy looking page == lost sales == less money for bank).

We're getting a PCI scan at work done soon, I have a feeling it won't be fun.

akakjs

Dj_Jestar · 29 Feb 2008 at 01:47

I don't see the issue. Just turn it off.

LazyManc · 29 Feb 2008 at 07:45

akakjs said:
Is this the bank asking you to change it, or a firm doing a PCI scan?

It's a firm working for the bank.

Dj_Jestar said:
I don't see the issue. Just turn it off.

It doesn't break rendering, and I'm not massively bothered by it breaking page validation, my main problem with it is that it's completely unnecessary, and taking away a choice that should be the users. If I decide my computer is secure enough to remember login details, then a site should not prevent me from doing so. If someone is a big enough turnip to save their login information on a public computer after numerous browser warnings not to do so, then that's their problem.

Barclays don't turn off autocomplete on their online banking login, so for a site that does not store any information other than an address/email it seems complete overkill.

Dj_Jestar · 29 Feb 2008 at 15:14

It removes another possibility for someone's details to be stolen. Even if the user has a keylogger active on their machine which successfully steals their details, guess who will still get stick from the user?

~J~ · 29 Feb 2008 at 16:27

Dj_Jestar said:
It removes another possibility for someone's details to be stolen. Even if the user has a keylogger active on their machine which successfully steals their details, guess who will still get stick from the user?

Gotta agree here (which isn't often with DJ_Jester

), just turn it off.

We had one a few weeks ago and just did a mass Find and Replace of all form fields which had autocomplete='on' to autocomplete='off' and the whole process took about 2mins!

Just can't be too careful, especially on works or public machines, just another way of avoiding identity theft and/or unauthorised people logging in.

LazyManc · 29 Feb 2008 at 21:56

Dj_Jestar said:
It removes another possibility for someone's details to be stolen. Even if the user has a keylogger active on their machine which successfully steals their details, guess who will still get stick from the user?

I have already added the change - it just irks me how we have to molly-coddle everyone because of a few shall we say "less than average" users.

Reminds me of our current government actually, but that's for another forum

akakjs · 1 Mar 2008 at 10:33

I'm with you LazyManc; having it on the sensitive fields makes sense. But every field? it just stinks of shotgun solution to specific problem. I had a quick skim of the PCI DSS document and couldn't see any references to auto-completing at all, and very little on client-side security. So I'm wondering if this "requirement" is a result of an internal policy decision inside the firm doing the scan.

akakjs

MikeTimbers · 1 Mar 2008 at 23:50

PCI is a pain. The banks themselves are the least secure and make us use inaccessible pages for the PIN/password authentication. I truly wish the big retailers had got together earlier and just told the banks to sort themselves out first.

Dj_Jestar · 2 Mar 2008 at 03:55

akakjs said:
I'm with you LazyManc; having it on the sensitive fields makes sense. But every field? it just stinks of shotgun solution to specific problem. I had a quick skim of the PCI DSS document and couldn't see any references to auto-completing at all, and very little on client-side security. So I'm wondering if this "requirement" is a result of an internal policy decision inside the firm doing the scan.

akakjs

There's a lot to consider. Firstly, any and all user information is sensitive, particularly for something as important as banking.

Secondly, the only fields a user will be asked to fill out everytime is the fields used for login. Email and others will be stored, at the server end, surely? So it's even less of an issue than what is being made.

Oh, and I do agree it's irksome, but it is insignificant as far as concerns with a financial handling website goes..

LazyManc · 2 Mar 2008 at 21:23

Dj_Jestar said:
There's a lot to consider. Firstly, any and all user information is sensitive, particularly for something as important as banking. Secondly, the only fields a user will be asked to fill out everytime is the fields used for login. Email and others will be stored, at the server end, surely? So it's even less of an issue than what is being made.

Oh, and I do agree it's irksome, but it is insignificant as far as concerns with a financial handling website goes..

Just to clear this up, the website in question is a concert ticket retailer, and only holds address information.

MikeTimbers · 3 Mar 2008 at 20:27

If you don't hold credit card data, why are you even talking to the banks?

unwashed potato! · 4 Mar 2008 at 06:41

im with dj_jester and the banks on this one, it makes the information more secure so no problem with doing it. if you're too lazy to type in the information every time you could always use the extension formfiller for firefox, saves the information for you and will load it with just one click.

the "stupid" user can't help themselves but the above average can.

LazyManc · 4 Mar 2008 at 22:49

MikeTimbers said:
If you don't hold credit card data, why are you even talking to the banks?

It's an e-commerce website but we don't store the card info, you have to re-enter it each time you make a purchase.

Barclays don't have autocomplete turned off for their online banking login, HMV & Amazon don't bother either. It just seems like the PCI firm doing our scan are being over-zealous.