Your handling of Credit Card Data during Checkout

edited December 2014 in Lounge

I'm currently a trial user of your software and ready to make a purchase. Went through the process and tried to pay with my American Express. Entered it on the site not realizing I have to go through PayPal (??!!) to pay with Amex. The site gave me an error message. I then realized I had to go through PayPal, which didn't work as that Credit Card is attached to an existing PayPal account, which I have not used in ages and which is therefore deactivated (I don't plan on reactivating it). I then dropped it and did not look into this for a few days. Today I was going to try again and was quite negatively surprised that you apparently stored my Credit Card details in PLAINTEXT in my session, so that as soon as I as arrived at the checkout page again, my complete number, including expiration date was visible. I'm pretty sure that is in violation of PCI compliance and could have led to serious problems if I had used - for example - someone else's computer. Please fix this.

Comments

  • Before the Agilebits guys look at this, have you checked that your browser hasn't stored the credit card info for you? Clear your saved info.

    Also, why do you assume that it's stored in plain text? The connection is SSL and the credit card info might be encrypted in the stored session data on the server side.

  • MeganMegan

    Team Member

    Hi @Philipp Reichardt

    First of all, thanks so much for choosing 1Password to keep your digital life secure and organized! I'm so sorry to hear that you've been having trouble getting through the checkout page.

    Could you please describe the exact steps that you went to here? I've tried to replicate this and so far cannot. Here's what I did:

    • Open https://agilebits.com/store
    • Select a product and add to cart
    • Click the 'Checkout Now' button
    • Use 1Password to fill in my credit card details
    • Close the tab
    • Open a new tab and go back to https://agilebits.com/store
    • (My product is still in the cart)
    • Click on the 'Checkout' button
    • Payment page comes up with no details pre-filled.

    Please let me know if I'm missing a step here.

  • Hi Megan,

    I followed your steps with one addition (I submitted the order after 1Password filled in my CC details) and upon opening a new tab to access https://agilebits.com/store and clicking on "Checkout" my credit card information is pre-filled in plain text for everybody to see who may have access to my browser.

    To the previous comment, it doesn't really matter if this information is stored in my browser and is encrypted; the fact that it is completely visible in the text field including the expiration date is an issue. Furthermore, I still cannot use my Amex to pay for the license, which is unfortunate.

    Thanks for your comments.

    Philipp

  • BenBen AWS Team

    Team Member

    To the previous comment, it doesn't really matter if this information is stored in my browser and is encrypted;

    The difference is if it is stored in your browser we can't fix that. That would be something you'd need to adjust in your browser settings.

    Furthermore, I still cannot use my Amex to pay for the license, which is unfortunate

    Did you select the "American Express or Discover processed by PayPal*" option at checkout?

  • I'm at a loss to understand why anyone accepts Amex. It costs retailers so much to use that it's just not worth it.

  • Thanks for your answers!

    The difference is if it is stored in your browser we can't fix that. That would be something you'd need to adjust in your browser settings.

    It is stored in a session created by Agilebits, which is in fact something you have control over, even though the session is stored in my browser. Again, it is just wrong to design a system that stores Credit Card numbers in a way that would show them in plain text at a future time. If anything you should obscure the digits and only show the last 4.

    Did you select the "American Express or Discover processed by PayPal*" option at checkout?

    No, I only realized later that you do not accept Amex but instead force me to go through PayPal. Unfortunately, my Amex is tied to a PayPal business account, which means I can only use that PayPal account to use the card, which in this case I cannot since it is not a business expense.

    I'm at a loss to understand why anyone accepts Amex. It costs retailers so much to use that it's just not worth it.

    Say you pay 1% more in processing but get 2% more shoppers because (like me) they prefer using Amex when paying online. That's a pretty good ROI in my books. The businesses I know who accepted Amex have seen a 3-5% jump in new business. Same goes for other local payment methods like Direct Debit in Europe, by the way.

  • Say you pay 1% more in processing but get 2% more shoppers because (like me) they prefer using Amex when paying online. That's a pretty good ROI in my books. The businesses I know who accepted Amex have seen a 3-5% jump in new business. Same goes for other local payment methods like Direct Debit in Europe, by the way.

    I don't understand why people prefer paying with Amex enough to have one either, since no one takes it. My girlfriend had one and gave up with it since no one took it, or if they did wanted to impose a surcharge.

  • Well, everybody is certainly entitled to their opinions and preferences yet ultimately - as a business - you are best of not to educate/fight your customer but embrace their wishes and make it as easy as possible for them to spend money with you. But again, that is just my opinion - I didn't start this thread to have a philosophical discussion around what payment methods are best. My personal reasons for liking Amex are (to name but a few) a free rental car insurance program, 2-3 free domestic flights per year thanks to a generous rewards system, extremely good customer service, no-questions-asked fraud protection, travel assistance which has helped me tremendously once when my wife fell sick during a trip, free upgrades when checking into many hotels, and many more....

  • BenBen AWS Team

    Team Member

    It is stored in a session created by Agilebits, which is in fact something you have control over, even though the session is stored in my browser. Again, it is just wrong to design a system that stores Credit Card numbers in a way that would show them in plain text at a future time. If anything you should obscure the digits and only show the last 4.

    I've asked our developers to look into this. Thanks!

    No, I only realized later that you do not accept Amex but instead force me to go through PayPal. Unfortunately, my Amex is tied to a PayPal business account, which means I can only use that PayPal account to use the card, which in this case I cannot since it is not a business expense.

    Ah. Our primary payment processor does not accept AMEX, but PayPal does (as well as a few other forms of payment). I was not aware of the limitation re: credit cards tied to a PayPal account. Thanks for letting us know.

  • BenBen AWS Team

    Team Member

    Hi folks,

    I'm happy to report that we've switched payment gateways and now can accept American Express directly. There are also a number of other security improvements that come with this switch.

    Thanks!

This discussion has been closed.