I am curious about PCI Compliance Requirements relating to post back on a Bill Pay form.
I currently have a form that submits to authorize.net, I don't store any credit card information in a database or any other means.
My question relates to ASP.NET ViewState and PostBack values. If a user forgets to enter their Name on the form, the form does a postback and shows a validation message. ASP.NET then restores all of the user's entered information from the ViewState. This includes the credit card number they entered. To me that seems like it would be a violation of PCI Compliance. I'm not an expert though so I am unsure, if anyone could shed some light on this topic that would be great.
Also, FYI, in case anyone was wondering, the form submits over SSL and my viewstate is encrypted.
DO NOT DO IT.
PCI only allows the presentation of the first six (the BIN) or the last four digits.
If you must redisplay, only show the last four on the page and encrypt in a hidden field.
Take this "for instance", the user enters all their info, they click while walking away from the computer thinking all is well and then come back some time later to see their info in full display for the world. Who knows how many ppl could have possibly seen that info.