Card transactions by proxy

Tony Naggs tony.naggs at
Sun Apr 3 11:44:53 BST 2011

On 31 March 2011 11:31, Charles Lindsey <chl at> wrote:
> I think in the case under discussion, the agent should say "we cannot proces
> your card directly here, but we have a PC that you can use yourself to make
> a 'not present' transaction". Then, if the cardholder is not happy/familiar
> with web transactions, the agent can offer to assist. The essential factor
> is that the PC screen should be turned during the activity so that the
> customer can observe what is being done.

Using a PC & web form at the agent is a really bad idea. Even though a
Point Of Sale terminal is likely to be a PC under the covers at least
the shop employee is not going to be using to read email, watch Flash
mopvies or browse Facebook, naughtie pictures, etc.. during their tea
breaks. Activities which have a risk of picking up key logger or other

> In the case of verified by Visa transactions, the customer is presumably
> already familiar with the process (having previously set up a PIN/password)
> so he should be able to do that part himself (and the agent should turn the
> screen and give him access to the keyboard at least for the PIN/password
> stage). Indeed, the agent should ideally not even see the "helpful phrase"
> displayed by Visa to remind the customer of which password he is supposed to
> use.

Yuck. I now avoid sites that want me to go through the Mastercard or
Verified by Visa sign-up to complete my purchases, I have enough
trouble remembering the strong passwords for all computers & crypto
systems I use regularly, remembering several more for an activity I do
once or twice a month is a big ask. (I did sign up 1 card to rebook a
flight home to the UK, I now don't remember which card let alone the
password.) Also I consider the terms you are asked to agree to when
setting up the password to be onerous - providing an email address I
can always be promptly contacted at. I have no control over my ISP's
spam filters and am often away from most of email accounts for several
weeks, and why do they want this? My banks already have my mobile
phone number which they use to query suspicious transactions.There has
got to be a better way of securing banking transactions.

If I go to a physical merchant or agent I would be very upset to to
presented with the Verified by Visa oblox. Locally (Cambridge) I
sometimes make my monthly council tax payment at the Post Office,
where they swipe my council issued magnetic stripe card and then take
a payment from my debit card using their Chip & Pin terminal.


More information about the ukcrypto mailing list