A couple of small thoughts on improving the usability and security of payment web forms
Occasionally encountering various payment forms on sites designed to enter card data, I often wonder why, for many, the list with the choice of the expiration date of the card (Expiration Date) contains garbage, and the password field (CVV2 / CVC2) is not protected. Of course, the problems noted and problems will not be considered by everyone, but still I would like to hear the opinion of those who believe that this is normal.
The problem with the list of the expiration dates of the card is that on many sites this field contains outdated values: 2011, 2012 and now 2013. Obviously, payment on an overdue card will still fail, but the probability of a user’s mistake when filling out the form, perhaps, increases this, although, of course, not proportionally. But it looks strange.
However, obsolete year values are still less common than a problem with the CVV2 / CVC2 field.
In the vast majority of payment forms that I personally met, this field is simple (text), and not protected (password). That is, secrecy is not ensured at the level of hiding data entered from the keyboard on the screen. Of course, many banks are now introducing two-factor authorization through 3-D Secure, but there are many more places where you can make a payment simply by entering all the data without additional confirmation of the user's identity.
If the first problem is generally not very critical and is caused only by a lack of desire to edit the form every year or to implement additional checks of the current date in it, then the story with the almost total lack of protection of CVV2 / CVC2 from simple spying personally is still not very is clear.
Surely there are specialists here, including those who took part in the development of interfaces for payment web-forms. It would be interesting to know how this is considered a problem in their midst and why. After all, there must be some rational explanation for this.
The problem with the list of the expiration dates of the card is that on many sites this field contains outdated values: 2011, 2012 and now 2013. Obviously, payment on an overdue card will still fail, but the probability of a user’s mistake when filling out the form, perhaps, increases this, although, of course, not proportionally. But it looks strange.
However, obsolete year values are still less common than a problem with the CVV2 / CVC2 field.
In the vast majority of payment forms that I personally met, this field is simple (text), and not protected (password). That is, secrecy is not ensured at the level of hiding data entered from the keyboard on the screen. Of course, many banks are now introducing two-factor authorization through 3-D Secure, but there are many more places where you can make a payment simply by entering all the data without additional confirmation of the user's identity.
If the first problem is generally not very critical and is caused only by a lack of desire to edit the form every year or to implement additional checks of the current date in it, then the story with the almost total lack of protection of CVV2 / CVC2 from simple spying personally is still not very is clear.
Surely there are specialists here, including those who took part in the development of interfaces for payment web-forms. It would be interesting to know how this is considered a problem in their midst and why. After all, there must be some rational explanation for this.