0

I have a web based application form that is used to gather personal information for web based users. One of the fields is an SSN. My question is simple, in terms of security compliance (in general, OWASP, PCI, SOC2, etc), is it okay to prefill the SSN when the user is returned to the form because of validation issues?

For instance, say I fill out the entire form, I forgot to enter Birth Date (another field on the form), the form reload the page, displays a validation message related to a required field birth date, the form is then populated with the form fields the user already entered, First Name, Last Name, SSN, etc. Is it acceptable in terms of security compliance to repopulate their SSN (this is coming from the server side validation, not client side), or should I force the user to re-enter their SSN?

TroySteven
  • 1,329
  • 2
  • 7
  • 11
  • 2
    Why isn't it validating it dynamically with JS? Users should never have to try to post a form to figure out if your requirements aren't met. – user Nov 13 '19 at 15:46
  • It is validating dynamically with JS, however it still hits server side validation to test some things, my required field example wasn't the best, we have to hit the server to do credit checks, fraud checks, and also as a fall-back if the JS validation fails. – TroySteven Nov 13 '19 at 15:47
  • 2
    The fact that you need some server-side validation doesn't change @user's suggestion. You can send all the form data to the server via an ajax request, perform all the same server side validation, and then return input errors without the user ever leaving the form. This provides a much better user experience anyway, and will make your concern about re-populating the form a non-issue. win/win. – Conor Mancone Nov 13 '19 at 18:25
  • 1
    FWIW, for US natives born 1987-2011 (a substantial fraction if not the majority of users of many websites today) SSN is highly correlated to birthdate+birthplace and given either you can closely approximate the other -- although doing so would likely creep out many of your users. PCI can be left off your list; it cares about _only_ 'cardholder data' (CHD) which does not include SSN. – dave_thompson_085 Nov 14 '19 at 01:43

0 Answers0