Card transactions by proxy

Mark Cottle ukcrypto at
Wed Mar 30 14:33:40 BST 2011

I've been asked for my thoughts on what seems to be a slightly odd 
proposal for card transactions. I wonder if anyone here can put me 
straight on the legal and technical positions.

A local authority is proposing to close down a number of points that 
provide a general counter-service (for miscellaneous enquiries, rent 
payments, parking permits, bin bags and so on) and to transfer some 
of the functions to other facilities. At present these other 
facilities handle only small cash transactions and do not take card 
payments. In order to facilitate card payments it is proposed that 
staff will use existing desktop PCs to access existing public online 
payment facilities. They are supposed to take the card and enter the 
relevant information (card number, holder's name, expiry date, CSC 
etc) into the web interface - in effect, they carry out the standard 
web-based transaction for the customer. I think they are hoping most 
people will simply use the website option from home and the counter 
service will be mainly for those who don't have internet access or 
who aren't confident with web transactions. The proposers believe 
that, as the new arrangements are only supposed to deal with a 
limited range of transactions, which already have online versions, 
the authority can avoid having to put chip-n-PIN equipment at the 
locations concerned (thus avoiding associated costs).

I'm uncomfortable with this suggestion but feel I need more 
information before coming to a judgement. My concerns are twofold: 
practical and legal. From the practical perspective I can see at 
least one problem in the form of 3-D Secure. If a "Verified by Visa" 
box or similar pops up then the staff member cannot complete the 
transaction because they do not (or should not) know the relevant 
password. And I hope those involved can see it would be obviously 
wrong to require staff to ask customers for such a password. I wonder 
if there are additional problems that fall in the legal or policy 
domains. I naively assume online card transactions are built upon the 
assumption that the card holder is the one entering the data. What is 
the legal position of a person (in this case a local authority staff 
member) carrying out a card transaction for another person who is the 
card holder? Is the customer breaching T&Cs? Who is liable for what 
if there is an error? 

Mark C

More information about the ukcrypto mailing list