Good feedback from organisations running online systems. Worth a read…:
[…] Technology alone cannot solve the problems that security teams face today. Education and awareness are essential components. The presenters made a simple request: Don’t assume that user behavior – employees or end-user customers – about passwords will change. Security teams must reduce or entirely remove the roadblocks to adoption. Organizations must also provide those best practices for users without creating a new “ask.”
When storing personal information, only accept the risk that aligns with the level of authentication strength. If a less-strong authentication is used, do not allow payment card information to be stored. Only the strongest authentication allows payment data to be saved within the account.