Card transactions by proxy

Charles Lindsey chl at
Thu Mar 31 11:31:02 BST 2011

On Wed, 30 Mar 2011 22:02:59 +0100, Roland Perry  
<lists at> wrote:

> At the most fundamental level what's happening here is that a  
> "Cardholder not Present" transaction is being conducted with the  
> cardholder present. That's against the rules.

But is sometimes necessary. At a merchant I use from time to time, his  
terminal routinely does not like my card. So he (with my agreement) gets  
around it by performing a "cardholder not present" transaction. The only  
real difference is that he needs to see and use the security code on the  
back of the card. But any merchant who takes your card and inserts it into  
his normal "cardholder present" terminal can easily glance at the back of  
the card and memorize it.

I think in the case under discussion, the agent should say "we cannot  
proces your card directly here, but we have a PC that you can use yourself  
to make a 'not present' transaction". Then, if the cardholder is not  
happy/familiar with web transactions, the agent can offer to assist. The  
essential factor is that the PC screen should be turned during the  
activity so that the customer can observe what is being done.

In the case of verified by Visa transactions, the customer is presumably  
already familiar with the process (having previously set up a  
PIN/password) so he should be able to do that part himself (and the agent  
should turn the screen and give him access to the keyboard at least for  
the PIN/password stage). Indeed, the agent should ideally not even see the  
"helpful phrase" displayed by Visa to remind the customer of which  
password he is supposed to use.

Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131                       
Email: chl at      Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9      Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5

More information about the ukcrypto mailing list