Welcome to WebmasterWorld Guest from 22.214.171.124
Forum Moderators: LifeinAsia
However In THIS thread I really want to hear if anyone knows about laws relating to websites and credit card info (especially in the UK).
(I'm not asking about ways of handling credit card info - there are other threads for that)
Does anyone know what is legal and what is not when it comes to building sites that handle creadit card numbers?
Does anyone know of an online resouce about such laws?
e.g. Suppose hackers committed credit card fraud by getting info from a site that you created, who is liable?
- The Website Designer?
- The Website Owner?
- Any one else?
secure connection = SSL
Often transactions take place via a Payment Gatway (in this case a problem would probably be their liability).
But there are times when CC numbers are stored or sent to the site owner (because they do the transaction manually). I have been looking into ways to email CC numbers e.g. encryption by PGP or GPG etc. Whilst the ways of sending CC numbers is a whole discussion area -
- are there laws about how CC numbers should be handled, (not the SSL part) but relating to email or storing on a database etc?
I am not a lawyer so any advice offered here is "amateur" advice.
Apart from what's already covered there is the issue of data protection. You need to be registered with the data protection registrar to hold, handle or store any customers' card or other details. There is the matter of a credit licence (office of fair trading) - some argue that it's not necessary but if you check with the OFT they advise that you have a credit licence if you are accepting cards (even if you don't sell on credit).
With respect the security of the data transmission itself I don't believe that there are any laws on how CC numbers should be handled. It's one of those things in British law that isn't clearly defined. I remember discussing this with our merchant service providers in some detail and you'll be surprised at how lax an arrangement will be acceptable to them. I believe that there is no law preventing you from sending credit card details via normal UNSECURE email channels. I'd be happy if someone proves me wrong.
You may want to discuss this in writing with your business insurers to see what THEY are happy with.
...I don't believe that there are any laws on how CC numbers should be handled
I have begun to get this impression too. I just seems strange that their would be no such laws. Anyone out there aware of any such laws?
You need to be registered with the data protection registrar to hold, handle or store any customers' card or other details... OFT advise that you have a credit licence if you are accepting cards (even if you don't sell on credit).
Hmmm, but the website designer (me) isn't transacting, its the website owner (my client). So should the website owner be registered with the data protection registrar / have a credit licence? - or should I?
By the way: I understand any views here are just that - views, opinions etc for discussion.
Hmmm, but the website designer (me) isn't transacting, its the website owner (my client). So should the website owner be registered with the data protection registrar / have a credit licence? - or should I
Both of you need DPR regn. I wouldn't have thought you'd need the OFT licence though.
You have the owner's name, address and phone number, right? And he's your customer, right? Doesn't matter if he's your only customer - you have his details on record. Get registered with DPR and welcome to the start of the red tape!
But you can transmit credit card numbers without any security.
This world don't make no sense.
1.) Someone at the Law society told me that this is probably covered in the data protection laws.
2.) The Information Commissioner provide info on data protection.
3.) I found some great info but its one of those framed sites (with session IDs) so I can't provide a link (not very smart of them). Anyway, go to www.informationcommissioner.gov.uk > Guidence and Other publications, > Compliance Advice > FAQ's - Web (Jul 01) > faqsweb.pdf
12 WE COLLECT PERSONAL INFORMATION THROUGH OUR WEBSITE. DO WE HAVE TO
USE AN ENCRYPTION BASED TRANSMISSION SYSTEM?
A website operator is responsible for the security of its processing of personal data. It must adopt appropriate technical and organisational measures to protect the personal data. The processing of personal data includes its obtaining. A website operator is therefore required to obtain personal data in a way that is sufficiently secure. It is hard to see how this can be done without the use of a secure, encryption-based transmission system if the personal data are in any way sensitive or otherwise pose a risk to individuals, for example because they
include credit card numbers.
Website operators should be aware that whilst the use of a secure, encryption-based transmission system will protect personal data whilst in transit, there is a potentially greater threat to the security of personal data once the data have been decrypted and they are held in unencrypted form on a website operatorís server. Personal data that are in any way sensitive or otherwise pose a risk to individuals should not be held on a website server or,
if they are, should be properly secured by encryption or similar techniques.
13 IF WE USE ANOTHER COMPANY TO HOST OUR WEBSITE WHO IS RESPONSIBLE FOR
Responsibility for compliance with the Data Protection Act 1998 rests with the data controller, that is the person who determines the purposes for which and the manner in which the personal data are or are to be processed. This is likely to be the website operator rather than the host. A data controller does not have to own the equipment on which the processing actually takes place. A website operator that uses a separate processor, i.e. a person who processes personal data on the operatorís behalf, must have a written contract with the processor under which the processor is required to act only on instructions from the website operator and to have in place appropriate technical and organisational security measures.
All still very vague. Stuff like
"appropriate technical and organisational measures to protect the personal data"
"appropriate technical and organisational security measures"
" It is hard to see how this can be done without the use of a secure, encryption-based transmission system"
This all suggests it was drafted by someone not completely uptodate with security issues. "encryption-based" tranmission system could include an encryption system I've designed myself which is so insecure it can be broken by a half wit ten year old.
data that are in any way sensitive or otherwise pose a risk to individuals
That includes a phone number for crying out loud!
The more vague they make it the more at risk genuine businesses are as there are no defined guidelines, as in do x, y and z and you are considered clear.
But well done on finding that Kapow
re: "Does anyone know what is legal and what is not when it comes to building sites that handle creadit card numbers?"
While not specific only to the website and credit card situation these regulations are closely related and you probably need to be aware of them:
1 The Consumer Protection (Cancellation of Contracts Concluded away from Business Premises) Regulations 1987 and since amended
2. The Consumer Protection (Distance Selling) Regulations 2000 which can be seen online at [hmso.gov.uk...]
the above includes significant elements of European Union Directives taken into UK law where the choice was I am advised made to apply them in many / most cases to B2C operations more than to B2B .. for which (B2B) there are many exemptions if you read the text in detail and take appropriate legal advice.
I dont know where in the UK you are but there are all sorts of DTI and other business clubs including online business clubs .. run for our / your benefit ..
I recently was able to get very valuable free legal advice from a lawyer specialising in online ecommerce and the like areas which helped me greatly to change the policy of one payment gateway provider as regards the terms they were demanding one of my clients operate their online transactions under.
I recommend you get professional advice and try these clubs to get the low cost (as I say often free :-) versions of that first. Comments here are only comments .. 1. no one knows your exact situation, 2. I am no lawyer etc etc
The above UK version of distance selling was included into UK legislation from an earlier the EU Directive which enshrined the right of a consumer to back out of a contract during a cooling off period in the Distance Selling Directive .... some details of the EU legalese at:
You might want to look though the dti references on these issues .. could start here
Distance Selling & E-Commerce
The Electronic Commerce Directive (00/31/EC)
basically if you want contracts under UK law you need to state so in your terms & conditions - get them professionally written .. or they may not be worth the words that make them up :-)
Hope that helps .. there are some specific credit card regulations .. a google should find them ..
I think they may apply more to the CC companies operations themselves but you may well find that the CC companies and online payment gateways try to push many of their legal requirements down onto you as their clients in order to reduce their own liabilities.
Chargebacks and the no fault no question return for a full refund being one area in particular that I have seen being demanded to be included in my clients terms and conditions while it was not a legal requirement for my client in his specific circumstances to operate to these terms.
The UK Data protection act does apply "to data" :-) however unlike the commenters above I think its well worded because it may stand the test of time .. what was good 5 years ago may not be today / in 4 years time etc ... the problems you will have if your customers credit card details are lost / allowed to be stolen .. the law will be only one of your worries I would think .... I would research best practice if I were you ...
Anyhow .. hope that bit of detail helps you in your search ... sticky me more detail if you wish ... I may be able to dig out some suitable advice / clubs etc if I know what area and business sector you are talking about.