rocknbil - 4:37 pm on Aug 22, 2009 (gmt 0)

I don't see the difference in which page POST's it.

Take a scenario. You've bought the best 256 bit encryption cert you can buy, high user trust, whatever. Let's say it's perfect.

Your server has failed a PCI compliance scan due to some security flaw, whatever it is, doesn't matter - let's say it's an old PHP version with a flaw.

Some hacker has made use of that flaw and can access your data in some way, or maybe has even rooted your box without your knowing it.

User submits data. Hacker logs all data submitted.

So even though your cert encrypts the data, the server decrypts it on receipt. When it's received, hacker is sniffing/storing it, after decryption.

This is the difference, although it's a simplistic scenario, it demonstrates you are responsible for the environment you create.