Card transactions by proxy
Charles Lindsey
chl at clerew.man.ac.uk
Thu Mar 31 11:31:02 BST 2011
On Wed, 30 Mar 2011 22:02:59 +0100, Roland Perry
<lists at internetpolicyagency.com> wrote:
> At the most fundamental level what's happening here is that a
> "Cardholder not Present" transaction is being conducted with the
> cardholder present. That's against the rules.
But is sometimes necessary. At a merchant I use from time to time, his
terminal routinely does not like my card. So he (with my agreement) gets
around it by performing a "cardholder not present" transaction. The only
real difference is that he needs to see and use the security code on the
back of the card. But any merchant who takes your card and inserts it into
his normal "cardholder present" terminal can easily glance at the back of
the card and memorize it.
I think in the case under discussion, the agent should say "we cannot
proces your card directly here, but we have a PC that you can use yourself
to make a 'not present' transaction". Then, if the cardholder is not
happy/familiar with web transactions, the agent can offer to assist. The
essential factor is that the PC screen should be turned during the
activity so that the customer can observe what is being done.
In the case of verified by Visa transactions, the customer is presumably
already familiar with the process (having previously set up a
PIN/password) so he should be able to do that part himself (and the agent
should turn the screen and give him access to the keyboard at least for
the PIN/password stage). Indeed, the agent should ideally not even see the
"helpful phrase" displayed by Visa to remind the customer of which
password he is supposed to use.
--
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131
Web: http://www.cs.man.ac.uk/~chl
Email: chl at clerew.man.ac.uk Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9 Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5
More information about the ukcrypto
mailing list