Solved

https needed on form action file?

Posted on 2010-09-14
3
454 Views
Last Modified: 2012-05-10
we use ssl on a page where people submit credit card information but i just noticed that when they hit submit it goes to a http page, not a https page. (i.e. http://mywebsite.com/processpayement.php
  I don't know if this is a security risk for the credit card data or not.  I am fixing it now, but there are literally dozens of files I need to change and I'm trying to figure out if I'm wasting my time plugging a non-existent hole
0
Comment
Question by:mignonnedavis
  • 2
3 Comments
 
LVL 57

Expert Comment

by:giltjr
ID: 33678745
According to PCI-DSS standards CC numbers and other related information MUST be encrypted when being transmitted over public networks.

What do you mean by files?

It does not matter how the data is transmitted, you CAN'T store CC information in clear text, it MUST be store encrypted.
0
 

Author Comment

by:mignonnedavis
ID: 33680798
sorry, my question is unclear.  In the html form called by https://mywebsite.com/enterpayment.html there is a line:
<form method="POST" action="http://mywebsite.com/processpayment.php" ....>

I'm simply asking if this is insecure.  Should the action always be an https to be secured as well or is it enough that the page where they enter their credit card information is already secured?
0
 
LVL 57

Accepted Solution

by:
giltjr earned 500 total points
ID: 33680927
With http instead of https any data that is being posted when you click on that link is being transmitted in clear text.

Yes the action should be "https://mywebsite.com/processpayment.php".
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

So you need a certificate so you can offer SSL encryption.  But which one should you get?  There are so many choices out there! Here is a generic overview of the main types of SSL certificates sold by the majority of commercial Certification Auth…
Microservice architecture adoption brings many advantages, but can add intricacy. Selecting the right orchestration tool is most important for business specific needs.

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question