Possible Customer Password Reset Bug:

The success/information message is being displayed rather than an error message when entering an email that does not exhist in the store for customer accounts.

This is happening on FPWD and the magnific popup form on LOGN (Suivant Theme).

I entered a goofy email "[email protected]" and made sure there is no account using it.

Hi SidFeyDesigns

That is intentional and part of PCI-dss requirement #6.5.5

https://www.pcidssguide.com/pci-dss-requirement-6/


“A common example of improper error handling is user ID and password input. If an attacker receives the message, "incorrect password provided," that error message is telling them they've given a correct user ID. Now, they can focus on hacking the password. The PCI DSS recommends using generic language in your error messages so that no useful information is accidentally given to attackers. Instead of saying "Incorrect password provided," try giving the error message, "Data could not be verified."

Hope this helps

-Eric

OKay, that actually makes a lot of sense. Thank you for sharing that info.

Address Validation Issues

We disabled the feature back in 2022/03 due to the following issues:

1. Three times wrong address was not not flagged, fortunately our fulfillment software caught it.
2. Twice shoppers were not able to place orders.

Refer to post:

Title: Any issues with Address Validation?
Link: https://www.miva.com/forums/forum/on...ion#post720252

Note: Two other merchants on the post disabled the feature due to other problems as well.

I do not believe Miva is aware that there might be an issue with this feature.

Hi William

i just tried checking out at runtime with address verification turned on and was able to complete checkout both with selecting the "verified" version of the address and the "as entered" option.

do you happen to have the address the customer was using that caused that error?

as far as the first issue goes "1. Three times wrong address was not not flagged, fortunately our fulfillment software caught it."

I'm not sure there is anything we can do about that. if the address is so off that UPS and/or USPS don't return any "verified" versions of it we still allow the order to complete. we do this so that we don't get into a situation where the Customer Can't complete checkout. for that same reason we have the "Use As Entered" option. but because of that, it does allow a customer to enter a bad address and just bypass or skip the address verification.

-Eric

Eric, thank you for your quick reply. I don't recall as that happened some time ago. But I caught your other relating to the same issue, and will give it another go this week and report back here. Thanks again!