Hi, I'm doing a project that involves entering card details, as this is a college project we don't have access to banks or anything to send the banking details anywhere. So when the customer enters their details, I then go to a confirm page that shows all their data entered aswell as their creditcard details. For security reasons, is it bad to show their details back at them in the confirm page, or should I have them enter their creditcard details on the confirm page? Btw I am using html, jsp, &#106avascript etc Thanks

Personally, I prefer pages which only report the last four digits and leave the rest as asteriks. Basically:

Exp: 01/02Card #: **** **** **** 2942

No need to redisplay the card number. If the customer made a mistake the card will be declined. I hate having personal info (especially credit card numbers) displayed. It's not about the connection being secure (which is _extremely_ important), it's about people peeking over your shoulder.

I agree with ontheheap here, the best way by far to do this would be to show only the last 4 digits with all the rest starred out. If the user made a mistake they'll need to re-enter it again without being able to check where they went wrong, perhaps a hassle but it's worth the security.

Also remember to change the cache settings on your page so that it doesn't get cached in the browser (no form history) and that the page expires immediately after it's been displayed. I know it's not a live system, but you'll get extra marks for shwing your attention to security.