We are in the process of designing an app which, simply put, will allow people to accept payments easily.
The customer won't need an account and we'll be linking customer data (name, address, and phone) via emails used through their payments e.g.
When the user fills out the data and hits "Continue" they are prompted to fill out their name, address, and phone. If the user is a new customer, we have no issues, they'll fill it all in and be on their day. Our issue is with existing customers, our plan was to autofill the information with what we have in our records and allow them to edit it as they deem appropriate.
Now, obviously, after some consideration we realised that it wouldn't be ideal to do this because we'd essentially be doxxing our customers by showing all their info without some proper authentication. Someone could just sit there entering emails and view people's data.
Our immediate second thought was to show the redacted version of the info we have (last 4 of the phone or partial address) and let the customer select if they want to use the partially shown data. We'd never publicly show that info but in the backend we'd fully use that data.
So, my questions are as follows:
- Would my second suggestion be valid/safe?
- If not, what alternatives do I have?
A few clarifying points:
- It wouldn't be possible to purchase on behalf of someone because you'd need to enter your card details on each purchase. That wouldn't be prefilled.
- Customers are stored against organisations, organisations are the only people that can view customer information, specifically, their customers only.
- The redacted information would purely be used as a convenience, it will only ever be used to quick fill info such as names and addresses, nothing like card details.
I was going to post this on UX but ultimately decided this was more of a security issue than a UX issue.