On Thu, Nov 22, 2001 at 01:17:44PM -0800, Petro wrote:
When was the last time you worked a Customer Support line for a web site that did CC transactions?
End users care about, and insist on security. They don't know JS about it, they don't begin to understand it, but they "know" that 128 bit SSL is better than 40bit, and they know that it "keeps hackers away from their credit cards".
Yes, they do care. But, I don't understand exactly why they care since unauthorised e-commerce transactions end up being the liability of the merchant and the credit card company. It is usually just an annoyance for the customer. Of course, 128 bit SSL gives customers a false sense of security. The CC number is protected over the wire between their desktop and the web server, but customers have no clue what happens to their CC number after that. If the web server has been compromised, it doesn't matter much what sort of over-the-wire encryption you use. The customer generally has little idea of how the merchant stores CC numbers and what measures are in place to protect them.