On the newest version 5.904 the full credit card information is displayed when you bring up an existing customer in Manual Orders. The system parameters the CC hide only works for View Orders and NOT Manual Orders. Does anyone else have a problem with this serious lack of security!
That is intentional and necessary for that form at this point. Also when you think about it, your sales people are typing the full credit card number in there anyway when they're on the phone with your customers. Nothing is preventing them or anyone who walks by them from acquiring those card numbers.
The card number should never be shown unless absolutely necessary. Displaying it in this case is a violation of PCI-DSS requirement 3.3 which states:
quote: Mask PAN when displayed (the first six and last four digits are the maximum number of digits to be displayed). Notes: This requirement does not apply to employees and other parties with a legitimate business need to see the full PAN.
When bringing up an existing customer the employee has no business reason to see the full PAN. The card type and last 4 is sufficient to confirm with the customer that the correct card will be charged. Stone Edge should consider this a serious security flaw and issue an immediate fix.
I agree with Mr Day, this issue needs to be addressed immediately. As it stands now we are in violation with our Data Security Standards because of this change in the current version.
No Credit Card Hide in Manual Orders
Posted - 10/16/2009 : 11:59:57 AM
