I'm developing some PCI pages and I keep finding the chrome browsers pops:
Do you want to store credit card information
This is not PCI compliant and I want to disable this so that no browser can pop up messages for storing credit card information.
Asked
Active
Viewed 882 times
3
Sam Hanley
- 4,707
- 7
- 35
- 63
Joe Saad
- 1,940
- 3
- 22
- 32
-
`this is not PCI compliant` Wrong. Don't do that. – SLaks May 11 '15 at 16:16
-
@SLaks I don't get it.. so you think I should do something to prevent that prompting or not? – Joe Saad May 11 '15 at 16:17
-
3Do not try to prevent the user from using useful features. – SLaks May 11 '15 at 16:19
-
1@SLaks ok then, I'll leave the browsers to prompt the useful features. Thanks! – Joe Saad May 11 '15 at 16:44
-
1If you have EMPLOYEES filling in CUSTOMERS credit card numbers, then no, auto-save credit cards in the browser is not PCI compliant and there doesn't seem to be an easy way of stopping it in the form, or disabling it for an entire organisation in Chrome Policies. Bloody frustrating. – Dom Aug 13 '21 at 02:15
1 Answers
3
PCI compliance applies to what your site should do, not what the user can do within their own browser. Your site certainly shouldn't store a user's credit card information. However, you aren't any more responsible for your user allowing their browser to store their information than you would be if they, say, wrote the info on a post-it note and stuck it to their monitor. Browser features are browser features, not something you should (or often even can) try to manage.
The only exception, as noted in the comments below, would be if you were developing an internal-facing webapp, where your organization's internal users were being prompted to save the credit card info of external customers. In that case, your organization may want to suppress this to prevent a potential PCI violation. But even in that case, it would need to be suppressed by globally disabling autofill via Chrome enterprise policy, as it's a browser feature that your individual web site doesn't have any control over.
Sam Hanley
- 4,707
- 7
- 35
- 63
-
That said, relevant reading if you're curious about the mechanics of this would be http://stackoverflow.com/questions/15168261/how-does-chrome-detect-credit-card-fields. – Sam Hanley May 11 '15 at 19:58
-
PCI Compliance doesn't apply to just a single system or just the computers, it applies to all the internal processes of an organisation. If your call centre staff habitually wrote the PAN and CVV down on post-it notes for some reason during phone transactions, that would be a major breach. And if your organisation uses a web based system for processing telephone orders, and that system stores customer card numbers in an insecure way which can't be turned off, then that is an equally major problem. – Ben Curthoys Oct 31 '16 at 13:28
-
@BenCurthoys -- the point here, though, is that the payment info is being stored *in the user's browser*, independently from anything having to do with the web based system in question. You're correct about PCI compliance applying to "all the internal processes of an organisation" -- but a user saving their credit card information in their installation of Google Chrome on their personal computer isn't an internal processes of OP's organisation by any stretch. – Sam Hanley Nov 01 '16 at 13:45
-
*IF* your organisation uses a web based system to process telephone orders, then the computer and browser we're talking about belongs to the merchant, not the card holder, and are in scope. I noticed this the other day - my customers are being asked by their browser to save cardholder data with every transaction, and in chrome this feature CANNOT be turned off without disabling autocomplete entirely. I found an issue log that had been open since 2010 https://bugs.chromium.org/p/chromium/issues/detail?id=55719# As far as I can tell, the only option is to not use Chrome. – Ben Curthoys Nov 03 '16 at 23:33
-
I only commented because I was looking for a fix, and every time I found someone talking about the same problem I kept finding other people saying "You shouldn't want to do that" without bothering to understand the use-cases in which it's a real problem =) The browser user is not always the card holder. – Ben Curthoys Nov 03 '16 at 23:36
-
No. PCI compliance determines what your ORGANISATION should do with credit cards, this extends beyond your website and into your ERP, and user's browsers, etc. If you are accepting MOTO or other forms of credit card information, you need to make sure your internal forms are PCI compliant, and that your user's browsers aren't saving your customer's credit cards. – Dom Aug 13 '21 at 02:17
-
@Dom - can't believe this has been revived five years later, but I firmly stand by everything that's been said here. Sure, if your web site is coded in a way that credit card fields aren't coded appropriately and credit card numbers are being insecurely autofilled because of the way your form is defined, then sure, that's something you're responsible for preventing. But the error that the OP is describing is exactly the opposite - it's a secure, intentional feature of Google Chrome that lets customers save payment information, which you as a web dev have no control over. – Sam Hanley Aug 13 '21 at 13:27
-
You're correct in identifying that in a very specific case - where this is an app that's being used by internal users to input customer credit card information - then utilizing this feature would be a potential violation. But the OP didn't indicate that that's the situation they're in, and even in that case, it's a feature that would likely need to be disabled via Chrome enterprise policy, not through anything having to do with the way that OP's pages are coded. – Sam Hanley Aug 13 '21 at 13:29