Card transactions by proxy

Ian Batten igb at
Thu Mar 31 09:56:24 BST 2011

>  If a "Verified by Visa"
> box or similar pops up then the staff member cannot complete the
> transaction because they do not (or should not) know the relevant
> password. 

As these are users who either do not use the Internet or do not feel comfortable doing online transactions, then they would not be registered for Verified By Visa (etc) anyway, so as soon as that popped up they'd be stopped from proceeding.

But for a council to harvest CV2 values from customers who will, pretty much by definition, be less astute about online security is an accident waiting to happen.  It's hard to see how this isn't an attempted end-run around PICS compliance and the purchase of secure terminals.  And as it will be processed as a Card Not Present transaction, the fraud liability falls straight onto the council.

More important, as others have pointed out, it's a clear-cut violation of the Ts and Cs for the customer: in the case of LTSB, "11.1	You must: ... not let anyone else use your Card, Cheques or Security Details;"  For a local authority to solicit and encourage the breach of credit card terms and conditions is obviously the sort of things a bank would take a dim view of.

To be blunt, that the council didn't immediately phone up their bank and say "would this be OK", but is instead consulting and canvassing opinion, says they know it's hooky and they know their bank would say no.  Which is a good reason not to do it, I'd say.


More information about the ukcrypto mailing list