Card transactions by proxy

John Wilson tugwilson at
Thu Mar 31 08:59:26 BST 2011

On 30 March 2011 21:07, Mark Cottle <ukcrypto at> wrote:
> Prefer not to give the name at the moment. Although the proposals of
> which this is a part are out to a fairly broad consultation (and thus
> it's not much of a secret in the area concerned) I need to be
> diplomatic.

As long as it's not Aylesbury Vale District Council :)

> It certainly seems to be a breach of the Barclaycard T&Cs and I'm
> guessing the same applies to most other cards/issuers. That would
> seem to be a matter between the issuer and the cardholder. It also
> sounds as if there might be issues relating to the merchant agreement
> under which the authority gets its web transactiosn processed,
> although I'm not clear about that.
> The aspect I most need to pin down now is the position of staff who
> are asked to perform transactions in the manner in question.

I think it puts them in a very difficult position. If there's a query
about any future transaction on one of the cards they will fall under
suspicion. The fact that they have colluded in making a transaction
which is specifically disallowed by the card issuer's T&Cs will not

Three obvious scenarios:

1/ Someone installs a keylogger on the council's PC (not the most
highly secure machines at the best of times) Harvests CC details and
sells them on. The operator is immediately the centre of suspicion.

2/ Someone gives the operator their card then makes a set of purchases
and later denies they they did so claiming that the details must have
been skimmed at the council terminal.

3/ Someone used a CC which is not their own. The operator is the
technically one which made the fraudulent transaction.

The employes of the local authority need to get their union involved.

John Wilson

More information about the ukcrypto mailing list