Reply to post: Re: Why do browsers allows JS from other domains to run

Ticketmaster breach 'part of massive bank card slurping campaign'

tiggity Silver badge

Re: Why do browsers allows JS from other domains to run

VbV is just dire - it encourages users to accept bad security practices (shedloads of dodgy named third party .js components) - looks exactly like a scam site.

Just because you take payments does not mean you need the VbV site.

You could (https obv) get customer card details yourself (transiently) with no need for third party code and call your payment provider server side (in the way that desktop apps do and are happily PCI DSS compliant)

Obviously that way all the onus is on you to keep your site secured as when you "offload" to 3rd party VbV page then some liability on them, so you need a good security focus (CSP will become your friend) - You could go further andwrite your site old school and have Zero JS and security settings not allowing any JS at all (that would get the hipster web devs choking on their 10 word coffees)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019