Credit Card Contracts
Nicholas Bohm
nbohm at ernest.net
Mon, 16 Aug 1999 09:37:40 +0100
At 04:07 PM 8/15/1999 +0100, Richard Clayton wrote:
>I don't recall this topic being mentioned before, but it does seem quite
>important, since some of us have been telling anyone who will listen
>that the Government are wasting their time with an "ECommerce Bill",
>since real ECommerce will use credit cards and SSL provided by browsers,
>and that will all use standard contract law and nothing special is
>needed...
>
>Anyway, Howard is a friend of mine, and he recently mentioned that he
>has been looking at some Internet related small print on his credit card
>agreements. I asked him for the details and he has kindly provided them:
>
>Bank One International say:
>
> "4(f) do not send details of the Card Account Number over the
> Internet unless such details are sent in encrypted format using the
> secure session features included in the Netscape or Microsoft
> browser, or by using any other software approved by us or providing
> at least the same level of security"
>
>which seems clear enough, and I think many who read this list would
>consider this a reasonable condition (the software listed reflects the
>realities of the marketplace).
>
>However, GE Capital bank (Debenhams Visa card) say:
>
> "3.5 You must not send details of your Card or Account number over
> the Internet or any other online services unless such details are
> sent in a suitably encrypted format or by using software approved by
> us."
>
>Being (I'm sure he wouldn't mind me saying) a stroppy sort of fellow,
>Howard rang up this credit card company to enquire what "suitably
>encrypted" might mean. This is clearly not something that many people
>have done. To quote Howard:
>
> "it started as stunned silence and after seeking advice from
> elsewhere it was clear that whoever was advising a) hadn't got a
> clue what they were talking about and b) was making it up on the
> spot. Essentially they could offer no absolute standard of security
> and when pressed said that if it was a reputable company it was OK
> (which is of course contrary to their T&Cs). It was clear that the
> brain cell on the other end of the phone was by this time
> exhausted."
>
>To change the topic very slightly ... it's notable that these credit
>card companies are NOT insisting that you only deal with companies who
>can identify themselves by means of chains of certificates linked
>upwards to some master certificate endorsed by a Secretary of State...
>about the only thing that the upcoming Bill might provide us with.
>
>Is this ignoring of the value of certificates a foolishness based on
>ignorance ? an inability to write such a clause without filling the rest
>of the page ? or a hard-headed commercial approach to what is in
>practice a tiny commercial risk ?
I think the card issuers are worried about third parties snatching credit
card details off the Net. (It makes a change for them to be worried about
a risk that falls not on them but on the merchants who get defrauded.)
The reason they aren't interested in making sure you're dealing with
someone properly identified by a chain of certificates is simple: unless a
merchant is signed up to the credit card system somewhere, directly or
indirectly, he can't get value from a card transaction. The banks can vet
who they will allow into the system, and rely on one another to do it. In
the UK, and other countries where the card issuer is jointly liable with
the merchant to the customer on the transaction, they are especially keen
to do a good job of vetting. So certificate chains are irrelevant: all
merchants are already identified by the banking system.
Regards,
Nicholas Bohm
Salkyns, Great Canfield,
Takeley, Bishop's Stortford CM22 6SX, UK
Phone 01279 871272 (+44 1279 871272)
Fax 01279 870215 (+44 1279 870215)
Mobile 0860 636749 (+44 860 636749)
PGP RSA 1024 bit public key ID: 0x08340015. Fingerprint:
9E 15 FB 2A 54 96 24 37 98 A2 E0 D1 34 13 48 07
PGP DSS/DH 1024/3072 public key ID: 0x899DD7FF. Fingerprint:
5248 1320 B42E 84FC 1E8B A9E6 0912 AE66 899D D7FF