Closed
Bug 1427516
Opened 7 years ago
Closed 5 years ago
Form autofill doesn't fill in CVV
Categories
(Toolkit :: Form Autofill, enhancement)
Toolkit
Form Autofill
Tracking
()
RESOLVED
WONTFIX
People
(Reporter: ekr, Unassigned)
Details
See the following:
https://cdt.org/donate/
The credit card fills in properly but the CVV does not
Comment 1•7 years ago
|
||
Thanks Eric! It's expected since we don't attempt to store any information about security code(CVV). Marking this as invalid.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → INVALID
Reporter | ||
Comment 2•7 years ago
|
||
Ray, this may be as designed, but in this case, I believe the design is wrong, as it forces the user to do extra work. Can you please point me to the design rationale for this choice? Re-opening so we can discuss this.
Status: RESOLVED → REOPENED
Resolution: INVALID → ---
Comment 3•7 years ago
|
||
As far as I know, we are not allowed to store CVV from users due to some security standards. Aside from that I think not storing CVV could potentially help users feel more secure about storing their sensitive information to Firefox.
Reporter | ||
Comment 4•7 years ago
|
||
(In reply to Mark Liang(:mark_liang) from comment #3)
> As far as I know, we are not allowed to store CVV from users due to some
> security standards.
This seems pretty vague. Which security standards are those?
> Aside from that I think not storing CVV could
> potentially help users feel more secure about storing their sensitive
> information to Firefox.
Maybe. But it might also be perceived as inconvenient.
Reporter | ||
Comment 5•7 years ago
|
||
To follow up: is there some document (PRD, etc.) which documents this decision and its reason? If so, can you direct me to it?
Comment 6•7 years ago
|
||
(In reply to Eric Rescorla (:ekr) from comment #4)
> (In reply to Mark Liang(:mark_liang) from comment #3)
> > As far as I know, we are not allowed to store CVV from users due to some
> > security standards.
>
> This seems pretty vague. Which security standards are those?
My bad, I don't think there are any restrictions on storing CVV. I talked to Juwei about the decision on not storing CVV, it's partly because there's no other credit card autofill that stores CVV, and partly because we don't want to make users feel insecure about us having their complete information.
Here's a document Juwei created to compare form autofill in different browsers: https://docs.google.com/document/d/1UIFc285wWWIc5hhbGHufL2i5guU8Xii6ooaT7E911BQ/edit#heading=h.ggw4m8n34auw
As for whether we should allow storing CVV from users, it's open for discussion. We can always do user research with different tasks to learn how users perceive Firefox storing CVV.
Comment 7•7 years ago
|
||
(In reply to Eric Rescorla (:ekr) from comment #4)
> (In reply to Mark Liang(:mark_liang) from comment #3)
> > As far as I know, we are not allowed to store CVV from users due to some
> > security standards.
>
> This seems pretty vague. Which security standards are those?
PCI DSS. My understanding is that we probably don't need to follow the PCI DSS rules/guidelines at this time but it seems like our competitors are and it's safer to follow them from a risk perspective (IANAL). See the table at https://umanitoba.ca/admin/financial_services/media/PCI__DSS__FAQ(4).pdf#page=7 (page 7) which suggests that storage of the CVV is not allowed.
I believe there was another concern related to the issue Apple had some years ago with making it too easy for a child to make purchases with their parents' credit card: https://www.cnet.com/news/apple-to-refund-at-least-32-5m-for-kids-in-app-purchases/
"As part of an agreement with the FTC, Apple also must change its billing practices to require consent from consumers before charging them for in-app purchases."
We, and others, see requesting the CVV as a form of consent and verification.
I can't find existing documentation about this decision but my perspective was that we don't save the CVV because of Legal review and it isn't necessary for competitive reasons (we're at parity as-is). Elvin would be the one to talk to for more details about the legal concerns.
Severity: normal → enhancement
Updated•5 years ago
|
Whiteboard: [ccautofill]
Comment 8•5 years ago
|
||
For security reasons we do not fill the cvv.
Status: REOPENED → RESOLVED
Closed: 7 years ago → 5 years ago
Resolution: --- → WONTFIX
Updated•5 years ago
|
Whiteboard: [ccautofill]
You need to log in
before you can comment on or make changes to this bug.
Description
•