credit card security question

Forum Moderators: buckworks

Message Too Old, No Replies

credit card security question

Should a site display last 4 digits and expiration date on non-SSL page?

zollerwagner

5:52 pm on May 10, 2005 (gmt 0)

I learned recently that a charity's web site is displaying the last four digits of my credit card and its expiration date on a non-SSL page. (Yes, I did give them my credit card number earlier!)

The page is hosted by a third party (Get Active or ga0). There is one GET (not POST) variable attached to the URL with about 50 characters, so it would probably be hard to guess someone's variable.

If I want to change my credit card info, the site takes me to a SSL page.

My question: Is this insecure? Or am I being paranoid?

harleyx

1:47 am on May 11, 2005 (gmt 0)

I about 95% sure the last 4 numbers of a card are used to identify which credit card company it is (IE: they're the same on every discover card, or every mastercard).

upside

6:02 am on May 11, 2005 (gmt 0)

The first 6 digits of a credit card identify the issuing bank.

Displaying the last 4 digits of a card number shouldn't be a problem because credit card companies permit the last 4 digits of a card number to be transmitted in email and printed on customer receipts. However, the card expiration date is confidential and by storing or displaying it they are violating the card processing agreements and opening themselves up for fines.

zollerwagner

7:10 am on May 11, 2005 (gmt 0)

Thanks for the replies! That helps. I'll see if I can get the charity or ga0 to do something about this.