0

I have observed that in some payment portals while making payments via credit/debit card the CVV/CVC number is masked out (hidden), but in different portals this is not the case.

For example: USA & a few of UK based payment portals are not masking this field, while portals of some other countries are not, as far as I know. I tried to find a rule about this, but could not find any.

Is it really necessary to hide this field? Why do payment portals not have a uniform template about managing this field?

PasWei
  • 722
  • 3
  • 14
Ashish Patil
  • 103
  • 4

1 Answers1

1

Short answer: It is not necessary to hide the field, because there is no rule about how portals have to handle it.

At least for the United States, you want to take a look at the PCI Compliance guidelines. Credit card data has to be protected by strong encryption during transmission and storage. But there is no passage about whether a CVC input field has to be masked or not.

That's the reason why there are masked and unmasked variants. Some payment portals want to avoid mistyped CVCs at all cost and therefore reduce security, others prefer to have better security at the cost of a few mistyped CVCs. As you get a response whether or not the code is correct almost immediately, I recommend choosing the latter.

PasWei
  • 722
  • 3
  • 14
  • thanks for sharing your views @PasWei – Ashish Patil Jul 30 '22 at 20:14
  • 1
    I'll point out that the only security that masking that field provides is to prevent someone looking over your shoulder while you type. Which is not _nothing_, but is a very specific, limited usecase you're protecting against. – Bobson Jul 31 '22 at 04:11