Credit Card Contracts

Richard Clayton richard at turnpike.com
Sun, 15 Aug 1999 16:07:57 +0100 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I don't recall this topic being mentioned before, but it does seem quite
important, since some of us have been telling anyone who will listen
that the Government are wasting their time with an "ECommerce Bill",
since real ECommerce will use credit cards and SSL provided by browsers,
and that will all use standard contract law and nothing special is
needed...

Anyway, Howard is a friend of mine, and he recently mentioned that he
has been looking at some Internet related small print on his credit card
agreements. I asked him for the details and he has kindly provided them:

Bank One International say:

    "4(f) do not send details of the Card Account Number over the
    Internet unless such details are sent in encrypted format using the
    secure session features included in the Netscape or Microsoft
    browser, or by using any other software approved by us or providing
    at least the same level of security"

which seems clear enough, and I think many who read this list would
consider this a reasonable condition (the software listed reflects the
realities of the marketplace).

However, GE Capital bank (Debenhams Visa card) say:

    "3.5 You must not send details of your Card or Account number over
    the Internet or any other online services unless such details are
    sent in a suitably encrypted format or by using software approved by
    us."

Being (I'm sure he wouldn't mind me saying) a stroppy sort of fellow,
Howard rang up this credit card company to enquire what "suitably
encrypted" might mean. This is clearly not something that many people
have done. To quote Howard:

    "it started as stunned silence and after seeking advice from
    elsewhere it was clear that whoever was advising a) hadn't got a
    clue what they were talking about and b) was making it up on the
    spot. Essentially they could offer no absolute standard of security
    and when pressed said that if it was a reputable company it was OK
    (which is of course contrary to their T&Cs). It was clear that the
    brain cell on the other end of the phone was by this time
    exhausted."

To change the topic very slightly ... it's notable that these credit
card companies are NOT insisting that you only deal with companies who
can identify themselves by means of chains of certificates linked
upwards to some master certificate endorsed by a Secretary of State...
about the only thing that the upcoming Bill might provide us with.

Is this ignoring of the value of certificates a foolishness based on
ignorance ? an inability to write such a clause without filling the rest
of the page ? or a hard-headed commercial approach to what is in
practice a tiny commercial risk ?

Perhaps others can contribute some more contract clauses (good or bad)
or even (to amuse us) some similar experiences with customer support ?

I seem to remember Ross Anderson once saying that all the security
professionals renewed their journal subscriptions by just sending plain
email... but perhaps this is changing ?

- -- 
richard                       writing to inform and not as company policy
        only 25 MPs still need adopting:  http://www.stand.org.uk/
"Assembly of Japanese bicycle require great peace of mind" quoted in ZAMM

-----BEGIN PGP SIGNATURE-----
Version: PGPsdk version 1.1.1 (C) 1997 Pretty Good Privacy, Inc.

iQA/AwUBN7bXze5vmeyLY9DdEQJARQCgzrWtbU7zzy1nYekFYhon49u4dewAnA0c
txcPEEGpA5WWw9xajjPdGVyL
=vlge
-----END PGP SIGNATURE-----