Memo to web developers building sites that accept credit card numbers:
Always, always set autocomplete="off" in the input tag.
Otherwise, if people have the form completion feature turned on their credit card number will be stored in plain text somewhere on the computer (in the registry, or elsewhere).
This is especially dangerous if someone enters their credit card number from a public computer.
The only downside to using this attribute is that it is not standard (it works in IE and Mozilla browsers), and would cause XHTML validation to fail. I think this is a case where it's reasonable to break validation however.
Received thru Sendhil.