<br><br><div class="gmail_quote">On 3 April 2011 07:29, Peter Tomlinson <span dir="ltr"><<a href="mailto:pwt@iosis.co.uk">pwt@iosis.co.uk</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div><div></div><div class="h5">On 02/04/2011 20:58, Florian Weimer wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
* Mark Cottle:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
I've been asked for my thoughts on what seems to be a slightly odd<br>
proposal for card transactions. I wonder if anyone here can put me<br>
straight on the legal and technical positions.<br>
</blockquote>
Is this about credit cards?<br>
<br>
It is my understanding that a very similar thing happens when you do<br>
some business transaction over the phone (like booking a hotel). The<br>
call center agent typically enters your credit card details into a web<br>
application on your behalf.<br>
</blockquote></div></div>
But surely that is a 'cardholder not present' transaction - and they must not ask you for the 3 digit CVV number off the back of the card.<br><font color="#888888">
<br></font></blockquote><div>Here is an example of a major bank that <i>does</i> expect the customer to provide the CVV. They call it a card security code, but it is clear from the description that it is the same.</div><div>
<a href="http://www.lloydstsbcardnet.com/merchant_account/card_not_present.asp">http://www.lloydstsbcardnet.com/merchant_account/card_not_present.asp</a> </div><div><br></div><div>Usual practice is that merchants may request the CVV but are not permitted to record it - they forward the value within an encrypted transaction then destroy it.</div>
<div><br></div><div>Mark</div></div>