[slg]

Side question, does not displaying the credit card number and CVV provide any real security value? An overwhelming majority of sites that accept credit cards don't do that and I can't say I have ever been worried about that fact. At least the expiration year is displayed to the user so it is possible to notice if something is entered incorrectly And considering the expiration year masking issue only impacts people who use autofill, likely a small minority of users, I wonder if not displaying the credit card number leads to an even higher number of lost sales.

[aapeli]

Yes, most browsers treat password boxes as sensitive input which has implications to a lot of things. For instance if a blind person types in their CVV using assistive tools on Firefox on macOS, making it a password stops it from being read out loud like other input (it's probably the same on an iPhone, and in some cases this would be annoying if you're in public, etc).

[Leftium]

Aside from not displaying it, the browser will also not autofill/cache the sensitive information for future visits.