Card transactions by proxy

Leon Clarke leon at
Wed Mar 30 21:32:27 BST 2011

It could be that this is legally viewed as a card present transaction
that's been conducted using a non-approved computer system (which just
happens to use an approved website as one of its components, but has
other components like the PC that aren't approved for how they're
being used).
This is a massive breach of the local authority's agreement with the
acquiring bank that runs their website's card processing.

On Wed, Mar 30, 2011 at 2:33 PM, Mark Cottle <ukcrypto at> wrote:
> I've been asked for my thoughts on what seems to be a slightly odd
> proposal for card transactions. I wonder if anyone here can put me
> straight on the legal and technical positions.
> A local authority is proposing to close down a number of points that
> provide a general counter-service (for miscellaneous enquiries, rent
> payments, parking permits, bin bags and so on) and to transfer some
> of the functions to other facilities. At present these other
> facilities handle only small cash transactions and do not take card
> payments. In order to facilitate card payments it is proposed that
> staff will use existing desktop PCs to access existing public online
> payment facilities. They are supposed to take the card and enter the
> relevant information (card number, holder's name, expiry date, CSC
> etc) into the web interface - in effect, they carry out the standard
> web-based transaction for the customer. I think they are hoping most
> people will simply use the website option from home and the counter
> service will be mainly for those who don't have internet access or
> who aren't confident with web transactions. The proposers believe
> that, as the new arrangements are only supposed to deal with a
> limited range of transactions, which already have online versions,
> the authority can avoid having to put chip-n-PIN equipment at the
> locations concerned (thus avoiding associated costs).
> I'm uncomfortable with this suggestion but feel I need more
> information before coming to a judgement. My concerns are twofold:
> practical and legal. From the practical perspective I can see at
> least one problem in the form of 3-D Secure. If a "Verified by Visa"
> box or similar pops up then the staff member cannot complete the
> transaction because they do not (or should not) know the relevant
> password. And I hope those involved can see it would be obviously
> wrong to require staff to ask customers for such a password. I wonder
> if there are additional problems that fall in the legal or policy
> domains. I naively assume online card transactions are built upon the
> assumption that the card holder is the one entering the data. What is
> the legal position of a person (in this case a local authority staff
> member) carrying out a card transaction for another person who is the
> card holder? Is the customer breaching T&Cs? Who is liable for what
> if there is an error?
> Mark C

More information about the ukcrypto mailing list