Card transactions by proxy
Mark Lomas
ukcrypto at absent-minded.com
Sun Apr 3 08:35:57 BST 2011
On 3 April 2011 07:29, Peter Tomlinson <pwt at iosis.co.uk> wrote:
> On 02/04/2011 20:58, Florian Weimer wrote:
>
>> * Mark Cottle:
>>
>>> I've been asked for my thoughts on what seems to be a slightly odd
>>> proposal for card transactions. I wonder if anyone here can put me
>>> straight on the legal and technical positions.
>>>
>> Is this about credit cards?
>>
>> It is my understanding that a very similar thing happens when you do
>> some business transaction over the phone (like booking a hotel). The
>> call center agent typically enters your credit card details into a web
>> application on your behalf.
>>
> But surely that is a 'cardholder not present' transaction - and they must
> not ask you for the 3 digit CVV number off the back of the card.
>
> Here is an example of a major bank that *does* expect the customer to
provide the CVV. They call it a card security code, but it is clear from the
description that it is the same.
http://www.lloydstsbcardnet.com/merchant_account/card_not_present.asp
Usual practice is that merchants may request the CVV but are not permitted
to record it - they forward the value within an encrypted transaction then
destroy it.
Mark
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.chiark.greenend.org.uk/pipermail/ukcrypto/attachments/20110403/abaac433/attachment.htm>
More information about the ukcrypto
mailing list