Conceal credit card number

vr8ce
vr8ce
Community Member

I'm not sure why the credit card# field on the Credit Card form isn't concealable, but please make it so, or at least give us the option to make it so like new fields we add to a form.

Also, on the list, it should only show the last four of the card#, not the first four.

(This is for all 1Password platforms, I'm just a Mac user so I'm putting it here.)

Thanks!


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • AGAlumB
    AGAlumB
    1Password Alumni

    @vr8ce: Credit card numbers are not secret, so I don't expect we'll be doing that. But I would like to get a better sense of why you're asking for this, in case there's something else that might help. Keep in mind that credit card information (or anything else) will not be shown in 1Password unless you 1) unlock the app and 2) select the item to display. Keep in mind that your credit card number alone is useless, as someone would need other payment details (billing address, CVV, expiration, etc.) And in most cases you'll have fraud protection as well. Interested to hear more about your use case though. :)

  • vr8ce
    vr8ce
    Community Member

    Thanks for the lesson, but I'm conversant with how 1Password works. All that you said is also true for passwords, and any user-added fields, and yet we can choose to conceal them. There is no reason not to give us the option of concealing the credit card numbers, and plenty of reasons to do so. The (not my) use case is no different than any other field — we should be able to conceal any field we want to conceal.

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited November 2017

    Thanks for the lesson, but I'm conversant with how 1Password works. All that you said is also true for passwords, and any user-added fields, and yet we can choose to conceal them.

    @vr8ce: I disagree that passwords are not inherently secrets we want to protect (otherwise none of us would be using 1Password probably), but certainly there are some passwords which I would be less concerned about having them be discovered! :)

    There is no reason not to give us the option of concealing the credit card numbers, and plenty of reasons to do so. The (not my) use case is no different than any other field — we should be able to conceal any field we want to conceal.

    There's a very good reason: adding endless options adds complexity, which makes bugs and confusion more likely. So we try to add features only when there is good reason to do so. That's why I was asking about the user case. It just isn't clear from your comments so far what that is exactly. "Because there is no reason not to" is a tough sell when we're talking about pulling someone off of working on something else. And again, you can conceal any information you wish to in 1Password by either not displaying the item or keeping 1Password locked.

    Like I said, it's something we can consider, but it's hard for me to make a case for this or anything else to the rest of the team unless I have a sense of how it could benefit 1Password users as a whole, rather than just a single person. We need to prioritize things that will be of benefit for many users. It's possible there may have similar needs to yours, but I don't have a sense what that might be. So it isn't something we're going to add at this time, but we can keep your request in mind as we develop future versions, and perhaps hear from others who want something similar. Cheers! :)

  • vr8ce
    vr8ce
    Community Member

    Please keep track of the conversation, and don't put words in my mouth. You said, "Keep in mind that credit card information (or anything else) will not be shown in 1Password unless you 1) unlock the app and 2) select the item to display." Both of those things are true for passwords, and yet we protect them. Why? Because those aren't good enough reasons not to. And they're not good enough reasons not to protect credit card numbers, either.

    No, there's not a very good reason. This isn't "endless options". It isn't any options. Field A, B, and D are concealable, field C isn't. There's no reason for that. It doesn't take anyone any effort, or prioritizing, or anything else. It takes applying the flag that says a field is concealable to field C that's already applied to Field A, B, and D. AFAIC, there's no reason for any field in 1Password not to have those attributes. You're the one sowing confusion. Having every field act the same would make it simpler and less confusing.

    You're turning something smaller than a molehill into a mountain, and spreading quite a bit of misdirection around for no reason.

  • AGAlumB
    AGAlumB
    1Password Alumni

    Please keep track of the conversation, and don't put words in my mouth.

    I didn't. I used my own words. No need to be rude.

    You said, "Keep in mind that credit card information (or anything else) will not be shown in 1Password unless you 1) unlock the app and 2) select the item to display." Both of those things are true for passwords, and yet we protect them. Why? Because those aren't good enough reasons not to. And they're not good enough reasons not to protect credit card numbers, either. No, there's not a very good reason.

    I'm not saying that you have to agree with the reasoning. Just sharing it since you bright it up.

    This isn't "endless options". It isn't any options. Field A, B, and D are concealable, field C isn't. There's no reason for that. It doesn't take anyone any effort, or prioritizing, or anything else. It takes applying the flag that says a field is concealable to field C that's already applied to Field A, B, and D. AFAIC, there's no reason for any field in 1Password not to have those attributes. You're the one sowing confusion. Having every field act the same would make it simpler and less confusing. You're turning something smaller than a molehill into a mountain, and spreading quite a bit of misdirection around for no reason.

    You may think so, but I couldn't possibly comment.

  • XIII
    XIII
    Community Member
    edited November 2017

    According to this Office support page from Microsoft, it’s a “common security measure” to only show the last 4 digits:

    https://support.office.com/en-us/article/Display-only-the-last-four-digits-of-identification-numbers-ef699b5f-8b85-4226-ac11-2a568c8a9fe1

    I have indeed seen that more than once, though I can’t think of any examples from the top of my head... However, my first hunch was right; Amazon lists creditcards in your profile using only the last 4 digits. In fact, even the 1Password.com billing page does only show the last 4 digits!

    I don’t think I feel as strong about this as @vr8ce, but I would appreciate displaying only the last 4 digits by default and only all when editing/copying.

  • XIII
    XIII
    Community Member
    edited November 2017

    There’s actually a “Payment Card Industry’s Data Security Standard (PCI DSS)” which is promoting this:

    https://www.pcisecuritystandards.org/pdfs/pci_fs_data_storage.pdf

    At a minimum, PCI DSS requires PAN to be rendered unreadable anywhere it is stored – including portable digital media, backup media, and in logs. Software solutions for this requirement may include one of the following:

    Truncation – removing a data segment, such as showing only the last four digits.

    (where PAN is used as an abbreviation for Primary Account Number)

    Other options are hashes and strong encryption, so 1Password probably still complies?

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited November 2017

    @XIII: You're right that this is a different case, but that's really interesting. Thank you! Indeed, "last 4" is standard for payment processors (and legally required in some jurisdictions). Given that 1Password itself isn't storing or using this information for payment processing (with the exception of 1Password.com, of course), and because everything stored in 1Password is encrypted, it is already "rendered unreadable".

    Even when unlocked, Credit Card items have their numbers displayed as 4444 **** 5555 in the item list, just as Logins display only the username there, so that someone sitting next to you cannot get all of your info by casually look at your screen (or viewing your computer remotely) when you're just scrolling through the contents of your vault. At that point, all other information in these items will only be displayed if you select them to view their details. In that sort of situation, I wouldn't want to do so at all. We have great browser extensions that allow us to fill into webpages without having to reveal all of the item's details...but doing that can allow someone nearby to see some things you might not want them to as well (what site you're logging into, or what you're buying on Amazon, for example), so it's always important to be circumspect when in that sort of environment.

This discussion has been closed.