How come PayPal is allowed to store that?

Because PlayPal isn't remotely a real currency. It's sort of like Monopoly money or game credits. You agree to give PayPal your real money in exchange for their play money. So they don't fall under the same rules as a real financial institution.

whether this website is indeed storing sensitive info or it is just a case of an idiot and form-caching-capable browser?

I don't know about anyone else, but I'd be more concerned that this is not a https connection. These details are going out in plaintext, unless the frame is secure, of course.

you missed one . . and because PayPal are a bunch of useless w**kers who flout every known security good practice - you got it right play money! LOL

To be even handed, Google Checkout rapidly descended into the same mess so I will have nothing to do with either thank you

Some credit card company integrated verification systems are good, but the the NatWest one is utterly hopeless. From recent experience it simply just does NOT work on the websites of three (yes 3) of the UK's biggest retailers (talking listed companies here).

First time I thought it might be me (after all I only store about 60 passwords in my secure database so I am obviously not used to this stuff), by the 3rd time in a row and losing a delivery slot for my daughters birthday present . . . well I knew the answer - and it wasn't me!

No point in complaining of course to such an organisation, so this month's NatWest CC statement will be my last few transactions - after >30 years with the same CC company, so well done lads! Still new, loyal customers like me are SO easy to get eh?

Firstly a lot of this seems to be English media paranoia. I work with a group who take payments from all over the world and it's pretty much only English and perhaps Americans who worry about these things.

Secondly you have to keep the CVC in case the processing company ask questions or the person denies they made the payment.

Thirdly I checked my agreement with the payment processing company and there's no clause that prevents me keeping the details as long as they are stored in a secure way (the agreement defines this in more detail).

Of course this is differnet to a web form remembering (via a cookie or is it your browser?) the data. Some browsers remember form data and some don't so I always overwrite the CVC with an empty string just in case!

You'd hope they still make sure you keep the info for cards assigned to your account in a secure manner though.

Theoretically it would be fine to enter your credit card details into a page received over http if it then posted to an https url. Not that this would be very reassuring for the customer...

Not if they then published the non-HTTPS page with your details 'remembered' in it as described here.

No you are only supposed to retain the CVV number until you have taken payment. Just because the English and Americans complain it doesn't mean we are wrong does it.

By the look of the vertical scroll bar to the right of the the payment info bit, this is being taken in a separate frame, which presumably is using https.

It does look like it is storing the cvv though, rather than autofilling old results. It isn't just a "please enter your details form" but rather says that these are details that have been provided before. That said it could be that they've stored the rest and have a blank box to fill in the cvv (not uncommon), but his browser has helpfully autofilled it

No.

You absolutely not need to keep a CVC under any circumstances.

And under PCI its expressly forbidden......

It doesn't mean they're wrong about the rules, although as I say our contract with the payment company doesn't prohibit this.

I was just lightly commenting that to read English papers or to watch English TV one has the impression that credit cards and bank accounts are being ripped off every second and that we're all about to die.

Other countries give the impression that you need to be a little careful but it's a fairly rare event.

you can go to their web site - login of course - and get them to give you a one time use CC number, with CV

you then use THIS value for your online purchase - use it once - forget it.

if it gets compromised - who cares it only works once.

Obviously not much use for subscriptions though

I've seen some interesting explanations about PayPal here - except for the only one that is needed.

There is but one explanation for PayPal and its behaviour : PayPal is not a bank. PayPal has not signed any bank charter anywhere, nor is it subject to any banking rules.

Thus, PayPal can "do what it wants", and that pretty much explains everything that has happened to unwary PayPal "customers".

Of course, PayPal does get it right sometimes - heck I'll even accept most of the time. Unfortunately, it's not when all is fine that you need help. And when you do need help, PayPal is most definitely no longer your "pal".

What continues to gall me about PayPal is the fact that this company that is not a bank continues to (mis)manage people's money without any government stepping in and checking what is going on.