I tried to enrol online for a course at
City Lit a couple of days back. The registration procedure was a little clunky and involved a few inline frames but I managed to battle through it. I was using Firefox and some of the field names did not display in their entirety — so see all of the text you need to highlight them with the mouse and drag horizontally. If you failed to fill in a mandatory field you were dropped back in the middle of the page with no feedback as to what had just happened. Only scrolling to the top of the frame would tell you which fields you had failed to complete.
But, the worst part of the process for me was at the payments stage. When asked to submit my credit card details, I automatically hunt out the sure signs of a secure payment system — basic stuff such as a https in the URL bar and a padlock icon appearing. I saw neither in this case. Ok, it’s possible that the secure part of the site was buried in a frame, so I right-clicked to get a context-sensitive menu on the form hoping that this might reveal some information. It didn’t, so I quickly cancelled my sign-up.
I contacted the City Lit the next day and they assured me that the process is completely secure. This is what they had to say:
Thank you for your observation and be assured we take online card security very seriously. You will be comforted to know that Netbanx collects card payments on our behalf in a secure and PCI compliant environment. PCI DSS (Payment Card Industry Data Security Standard) is a world-wide benchmark mandated by the card schemes for the protection of cardholder identity and transaction information. Netbanx is a reputable company that was founded in 1996 and was the UK’s first payment service provider . We have been using their services since July 2006 without incident … Please be reassured that whilst the padlock does not appear, the payment window within the online enrolment window is secure with 128 bit encryption.
The first part of this sentence doesn’t mean much to me not being a security specialist. However, whilst I’m reassured that they do take security seriously, I’m concerned that the user receives no information or feedback as to the level of site security.
Now, I haven’t got any screen shots to back this up – and can’t get any without going through the process again — so I’m prepared to admit I may have missed something, although I did examine the page in-depth. Some clear, explanatory text would have set my mind, and presumably others’, at rest — if you take pride in the level of security you offer, then let your users know (maybe skip the bit about PCI DSS though!).
Posted via email from What’s this for?
