Card transactions by proxy

Mark Lomas ukcrypto at
Sun Apr 3 08:35:57 BST 2011

On 3 April 2011 07:29, Peter Tomlinson <pwt at> wrote:

> On 02/04/2011 20:58, Florian Weimer wrote:
>> * Mark Cottle:
>>> I've been asked for my thoughts on what seems to be a slightly odd
>>> proposal for card transactions. I wonder if anyone here can put me
>>> straight on the legal and technical positions.
>> Is this about credit cards?
>> It is my understanding that a very similar thing happens when you do
>> some business transaction over the phone (like booking a hotel).  The
>> call center agent typically enters your credit card details into a web
>> application on your behalf.
> But surely that is a 'cardholder not present' transaction - and they must
> not ask you for the 3 digit CVV number off the back of the card.
> Here is an example of a major bank that *does* expect the customer to
provide the CVV. They call it a card security code, but it is clear from the
description that it is the same.

Usual practice is that merchants may request the CVV but are not permitted
to record it - they forward the value within an encrypted transaction then
destroy it.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the ukcrypto mailing list