As far as I know there is no regulation against taking credit card information without a secure site.

Anyone stupid enough to put their CC info on a non-secure site should be flogged.

For proper legal advice, consult an attorney.

I don't know if there's a law against it, however it may violate his merchant account contract. That means, when someone's card is stolen, he may get sued by more than just the customer. ;)

<edited for my own stupidity> :)

I cant believe people enter their card details without it being secure DOH!

I sure wouldn't submit CC info on a non-secure page, but I actually know some people who get scared off by the "Entering secure site" message, leave the site because of it, and therefore don't purchase. That's why I always include an explanatory paragraph, often in red letters, briefly explaining why the page needs to be secure.

It's not illegal to ask a customer to write out his credit card number, expiry date and PIN in 3-foot high numbers on a wall with the words "steal me". It's stupid, but not illegal.

However, the customer may be breaching the terms and conditions of use with his card company, where there is a requirement that the user takes due care in protecting the card information. In this manner, your friend's customers are exposed not only the possibility that their card details are stolen, but also that they would not be refunded by their card company if it happened. And who would the customers blame if that occured? And who would they sue for negligence?

All good points, thanks for your input. I should mention that the guy did $1 million in sales last year, and I'm sure his company will top that this year. Maybe no one uses the unsecured page and that's why he doesn't get complaints. It just seems really bizarre to me....

Even through an unsecured site there's a lot of work to be done for someone to intercept CC (or any other) details. Obviously it's better to use HTTPS but for a small site it's sometimes not an option - at least until they start making sales.

>>>Obviously it's better to use HTTPS but for a small site it's sometimes not an option - at least until they start making sales.

would you play a game of soccer with a ball - or not bother with it until you start scoring a few goals?

most shared hosts will offer free shared ssl as part of the deal so expense is not really a factor. if you are dedicated then the extra expense is nominal.

using ssl for credit card transactions is the de facto standard, go against accepted practice at your peril.

Your biggest danger when submitting CC details on the web is not with the transmission but with the person/company handling them.

Why would anyone bother intercepting HTTP packets in the hope of picking up the occasional CC number when there are entire databases of them online ready to be hacked with little or no extra effort?! Heck, you can even Google for credit card details these days.

You probably take more serious risks each day just going to/from work ;)