Credit Card Disclosure

Summary#

Invicti identified a possible credit card number disclosure.

Impact#

It is not mandatory for a merchant to require the security code for making a transaction, hence the card is still prone to fraud even if only its number is known to phishers.

Remediation#

We strongly advise you not to expose credit card numbers on your website.

Classifications#

WASC-13, OWASP 2013-A6, OWASP 2017-A3, CWE-213, PCI v3.2-6.5.3, CAPEC-118, ISO27001-A.18.1.4