Card transactions by proxy
Mark Cottle
ukcrypto at airburst.co.uk
Wed Mar 30 14:33:40 BST 2011
I've been asked for my thoughts on what seems to be a slightly odd
proposal for card transactions. I wonder if anyone here can put me
straight on the legal and technical positions.
A local authority is proposing to close down a number of points that
provide a general counter-service (for miscellaneous enquiries, rent
payments, parking permits, bin bags and so on) and to transfer some
of the functions to other facilities. At present these other
facilities handle only small cash transactions and do not take card
payments. In order to facilitate card payments it is proposed that
staff will use existing desktop PCs to access existing public online
payment facilities. They are supposed to take the card and enter the
relevant information (card number, holder's name, expiry date, CSC
etc) into the web interface - in effect, they carry out the standard
web-based transaction for the customer. I think they are hoping most
people will simply use the website option from home and the counter
service will be mainly for those who don't have internet access or
who aren't confident with web transactions. The proposers believe
that, as the new arrangements are only supposed to deal with a
limited range of transactions, which already have online versions,
the authority can avoid having to put chip-n-PIN equipment at the
locations concerned (thus avoiding associated costs).
I'm uncomfortable with this suggestion but feel I need more
information before coming to a judgement. My concerns are twofold:
practical and legal. From the practical perspective I can see at
least one problem in the form of 3-D Secure. If a "Verified by Visa"
box or similar pops up then the staff member cannot complete the
transaction because they do not (or should not) know the relevant
password. And I hope those involved can see it would be obviously
wrong to require staff to ask customers for such a password. I wonder
if there are additional problems that fall in the legal or policy
domains. I naively assume online card transactions are built upon the
assumption that the card holder is the one entering the data. What is
the legal position of a person (in this case a local authority staff
member) carrying out a card transaction for another person who is the
card holder? Is the customer breaching T&Cs? Who is liable for what
if there is an error?
Mark C
More information about the ukcrypto
mailing list