Well it's certainly legal (in the US).

But it's definitely not PCI-compliant.

Two different animals.

ETA: and could also be a breach of TOS if they are using an offline card-present terminal to run card-not-present transactions on a routine systematic basis.

It is illegal in France ..and AFAIK in the UK and Eire .

And IMO ..A really dumb idea ..

Thanks to both of you for extremely interesting answers.

"PCI compliant" is a new term to me and after just a minimum of Googling I see its not only importance but indispensibilty. It governs all when it comes to cc transacions! Though I have read through info on what looks like the "official" site, I can't figure out how to prove that what these folks are doing is _not_ PCI compliant?

and could also be a breach of TOS if they are using an offline card-present terminal to run card-not-present transactions on a routine systematic basis.

Very good point also, but mustn't pretty much all merchants who take cc card over the phone be doing this?

It is illegal in France ..and AFAIK in the UK and Eire

A large percentage of the merchants i'm working with are in just those countries. Do you know where I could find legal resources to prove they're illegal?

AS it being a really dumb idea, I have already told them that though in perhaps in slightly more diplomatic terms ;) and in any case have categorically refused to do it. Total stupidity. As a hacker, all I need to do is break into the database and then star sniffing the (non-secure) emails that are going out. Problem is, some of them tell us, "our current system has been doing that for years, and it works fine" ... That's always an argument that's tough to beat even if their current system is crap!

France you can start with the CNIL [cnil.fr] ..( the french side of the site goes into more details and is usually more "up to date" ) ..then progress onwards through the various laws relating to Banks and finance..


Best place for those is La Banque de France [banque-france.fr]( French merchants must also be registered with them via their own bank for what is called "vente à distance" ..) failure to have the authorisation number is a criminal offence .

For the UK .."the data protection act".."the banking and finances act" ..probably the treasury website [hm-treasury.gov.uk]..and the search string "uk credit card regulations" put into your favourite SE will get you started on "distance selling regulations"

And "Eire credit card regulations" will get you started there too :)

The subject is too complex to give you exact pointers to the specific legislation ..but in all cases you personally would be as liable as any of your customers to civil and or criminal prosecutions if what they do went TU

rachel123 and Leosghost, thanks again so much for your answers.

Leosghost, thanks for the links and the terminology to search for as well as the links. As you say, the legwork is up t me.

One thing is certain. We will NOT do this. Despite the attractiveness of the project as a whole, we will not on this liability and I will make it clear to them, that that ePCI compliant-part could well mean we'd pass on the liability to them directly. The levele of fines mentioned there are eloquent.