website taking cc details on unsecure page

terra_ferma

I found a site that takes cc payments using an unsecure page, looks like just a standard html form with no security certificate, while it states in big letters that it's a secure page
(not using it myself, as I bumped into it by chance while looking for something else).

what is the quickest way of getting them out of action? excluding the ICO because when I contacted them a while back they said I needed to contact the other party myself first and wait for a month before they did anything.

earthstorm

terra_ferma wrote: »

I found a site that takes cc payments using an unsecure page, looks like just a standard html form with no security certificate, while it states in big letters that it's a secure page
(not using it myself, as I bumped into it by chance while looking for something else).

what is the quickest way of getting them out of action? excluding the ICO because when I contacted them a while back they said I needed to contact the other party myself first and wait for a month before they did anything.

ICO wont do anything as technically their is no law saying the payments need to be placed on a secure page.

i.e. they may have a std HTML page where you add your details etc, and a pay here button that directs to somewhere like Paypal.
It is paypal that needs to be secure and PCI compliant as they are the ones actually taking the money.

although the cost of a dedicated IP ( £2 a month) and SSL certificate from £5 a year is nothing to secure a site.

The ICO will only do something if the business is not registered under the Data Protection Act and then all they will do at first is contact the business owner with a copy of their booklet and application form for them to join with their £35 fee

Nilrem

It is worth noting that you can have a secure frame within a webpage - one of the most common payment interfaces for a lot of smaller stores uses (or used to use*) a java app within a frame.
It was secure, but didn't show as https or a padlock in most browsers as it was only the payment area of the page (a little like th VBV/Securecode window), that was actually secured as that was the area where the information was entered.



*Not sure if it still does, I can't remember seeing it for a while.

earthstorm

Nilrem wrote: »

It is worth noting that you can have a secure frame within a webpage - one of the most common payment interfaces for a lot of smaller stores uses (or used to use*) a java app within a frame.
It was secure, but didn't show as https or a padlock in most browsers as it was only the payment area of the page (a little like th VBV/Securecode window), that was actually secured as that was the area where the information was entered.



*Not sure if it still does, I can't remember seeing it for a while.

not seen one of them for years, they went out when SSL become coppers to get and when you could just add a Paypal/Nochec.Google Checkout payment button on your site then you are not taking the payments and some people think this is the only reason for secure pages.
As a webhost i would be worth millions if i have £1 for evertime i have informed clients that ssl secure pages are needed on pages where customers add any of their details and not just on the payment pages.

terra_ferma

They don't take Paypal, just cards. It's just a simple form with a submit button.
Didn't realise taking cc details on an unsecure page is allowed, but this site states secure online payment, so it's misleading.

browneyedbazzi

Is the site for a UK business or is the business based abroad?

If the site is for a business based in the UK then the misleading claim that it offers secure online payment can be reported to the ASA which will be able to make them remove that claim.

arcon5

I'm betting they are breaching their merchant accounts T&Cs. Many now charge fees for non-compliancy.

corbyboy

How certain are you that the details are being submitted into an unencrypted page? The page that contains all the boxes for you to fill in doesn't need to be secure, just the page that the information is submitted to.

Let us know the site and we can look at it.

earthstorm

corbyboy wrote: »

The page that contains all the boxes for you to fill in doesn't need to be secure, just the page that the information is submitted to.

Let us know the site and we can look at it.

No thats wrong. ANY page where your personal details are added MUST be secure. you seem to be someone that thinks its just the actual payment page that needs to be secure.

The payment page needs to be Secure and PCI Compliant, this is why most ecommerce sites direct payments to a 3rd party site like paypal/worldpay etc. as PCI Compliance is a long complicated and expensive process. But if you have a page that takes down customers details (name/address etc.) then this must be secure.

Yes if we have the site details then we could check this out

corbyboy

earthstorm wrote: »

No thats wrong. ANY page where your personal details are added MUST be secure. you seem to be someone that thinks its just the actual payment page that needs to be secure.

The payment page needs to be Secure and PCI Compliant, this is why most ecommerce sites direct payments to a 3rd party site like paypal/worldpay etc. as PCI Compliance is a long complicated and expensive process. But if you have a page that takes down customers details (name/address etc.) then this must be secure.

Yes if we have the site details then we could check this out

I am not saying you are wrong, but why is this the case? In what way would that be insecure?

CC-Warrior

Let us take a look at this site..