Hey everyone,

I've got a client that I am going to design a new website for. They want users to be able to submit credit application information via a form which submits to an email address. The information is everything on a standard credit application including ssn, addresses, etc.

This client already has a website that does this and it is NOT under an SSL session. I've tried to convince them that they may as well post the information under a neon sign.

Does anyone have any feedback and/or links to information that I can gather up and present to them on the merits of web form security?

First ask them if they have ever done any business over the web - bought or applied for anything that involved personal information being transmitted. Then ask them if it was done through email or a form.

Secondly, download one of the traceroute programs and trace the route to their web site. Copy the output from various times of day/days of week. Note that the routes are not always the same depending upon internet load. Explain to them that each point along a traceroute can be examining their mail for nifty things like SSN's and CC info. Some will be already be harvesting email addresses, picking up SSN and bank info is gravy.

In the US, failure to conform to commonly accepted business practices opens you up for liability if information collected is misappropriated. Securing personal information to prevent identity theft is such a common business practice. You may want to google for recent US federal legislation regarding identity theft and the obligations of businesses to protect customer information. there's a lot of state legislation about this as well.

Most credit card companies have specific rules for using their cards over the web which entail how the information is secured. I would expect that those same rules apply when applying for the card. VISA for instance expressly requires SSL. Bank1 cards - the most widely used type of private label cards are Visa.

I would think that failure to use SSL when collecting the information, and then enclosing that info in an un-encrypted email violates the terms of service of whoever they are collecting the info for. There's always the possibility that their game is identity theft.

Quite frankly, I would drop the client for a couple of reasons.

1. What they want to do is an accident waiting to happen. I wouldn't care to be associated with it when it does. One lawsuit, and you and your company are on the six o'clock news.
2. It's just not good web design or technique. In fact, it's lousy. I get a chunk of income doing overflow work or acting in collaboration with other web developers. wouldn't want the word getting around that that's the kind of stuff I do.
3. I have to carry business insurance - some of my clients require it. Applying for the insurance was an effort as I had to give examples of how I always protected against errors of omission or comission. They are particularly interested in my conformance to industry accepted practices around securing financial data and transactions.

Every job that comes along in not a good job. There are some you just need to walk away from.

Thanks for the information. I already knew most of it, but sometimes it's easier to hear it from someone else as opposed to wringing the client's neck.

This client is a very successful multimillion company in the autoleasing business. They have several websites already but don't actually use e-commerce transactions; however, they do have existing credit app forms not under SSL.

I have the final say in what happens on this particular website, but sometimes trying to convince the "suits" of what needs to happen is nothing short of nuts.

Again, thanks for the well-worded post and advice.