Card transactions by proxy

[Roland Perry]

In article <4D933F44.15263.15DAD14 at ukcrypto.airburst.co.uk>, Mark Cottle 
<ukcrypto at airburst.co.uk> writes
>I've been asked for my thoughts on what seems to be a slightly odd
>proposal for card transactions. I wonder if anyone here can put me
>straight on the legal and technical positions.
>
>A local authority is proposing to close down a number of points that
>provide a general counter-service (for miscellaneous enquiries, rent
>payments, parking permits, bin bags and so on) and to transfer some
>of the functions to other facilities. At present these other
>facilities handle only small cash transactions and do not take card
>payments. In order to facilitate card payments it is proposed that
>staff will use existing desktop PCs to access existing public online
>payment facilities. They are supposed to take the card and enter the
>relevant information (card number, holder's name, expiry date, CSC
>etc) into the web interface - in effect, they carry out the standard
>web-based transaction for the customer. I think they are hoping most
>people will simply use the website option from home and the counter
>service will be mainly for those who don't have internet access or
>who aren't confident with web transactions. The proposers believe
>that, as the new arrangements are only supposed to deal with a
>limited range of transactions, which already have online versions,
>the authority can avoid having to put chip-n-PIN equipment at the
>locations concerned (thus avoiding associated costs).
>
>I'm uncomfortable with this suggestion but feel I need more
>information before coming to a judgement. My concerns are twofold:
>practical and legal. From the practical perspective I can see at
>least one problem in the form of 3-D Secure. If a "Verified by Visa"
>box or similar pops up then the staff member cannot complete the
>transaction because they do not (or should not) know the relevant
>password. And I hope those involved can see it would be obviously
>wrong to require staff to ask customers for such a password. I wonder
>if there are additional problems that fall in the legal or policy
>domains. I naively assume online card transactions are built upon the
>assumption that the card holder is the one entering the data. What is
>the legal position of a person (in this case a local authority staff
>member) carrying out a card transaction for another person who is the
>card holder? Is the customer breaching T&Cs? Who is liable for what
>if there is an error?

At the most fundamental level what's happening here is that a 
"Cardholder not Present" transaction is being conducted with the 
cardholder present. That's against the rules.
-- 
Roland Perry