A web shop allows customers to order as guest or to create an account.
I ordered as guest, entered my email address and the shipping address, and payed per credit card (I had to enter the security code).
Some weeks later, I ordered something else, again as a guest. To my surprise, after entering my email address and shipping address, I could select the credit card that I used in the previous order.
It showed the credit card issuer, the credit card customer’s name, 4 digits of the credit card number, and the expiration date.
I selected it, and it worked. I didn’t have to enter or confirm anything (not even the security code; but this doesn’t seem to be required anyway).
I tested whether it is related to a cookie (no, it also works from a different PC) and whether the data has to be entered exactly the same (no, it only checks for the email address).
I guess this is bad, right?
I intend to contact the shop owner, but I want to be prepared in case they don’t agree that this is a problem. Should I also contact the credit card company, or is such a process allowed according to their rules (saving and allowing to use a credit card without authentication; showing some parts of the credit card data without authentication)?
Aucun commentaire:
Enregistrer un commentaire