DATE:
|
April 9, 2001
|
|
|
TO:
|
Senior Financial Officers (SFOs) and
Senior Full Time Financial Officers (SFFOs)
|
|
|
SUBJECT:
|
Policy on Acquisition Cards-Internet transactions
|
Introduction:
The subject policy has been revised to remove the previous restriction
concerning the use of acquisition cards to make purchases on the Internet.
The previous policy stipulated that credit card (account) numbers could not
be transmitted on the Internet. This was based on the fact that the Internet was
not considered sufficiently secure to allow the transmission of the card number
and other information required by merchants.
Liability:
The banks (National Bank (MasterCard) and Citibank (Visa)) have confirmed
that the government and cardholder liability for Internet related transactions
would be identical to the liability associated with regular type transactions.
The details pertaining to risks are provided in the policy under Appendix A -
Guidelines of the policy and include the following:
- The card-issuing company will not, under any circumstances, hold the
cardholder liable for fraudulent Internet transactions.
- Personal employee information, including home address and telephone
number, will not be provided to the contractor under any circumstances.
- The maximum government liability for unauthorized use of the card is
limited to $50.
- Unauthorized use refers to cases that do not benefit the government and
are initiated by someone other than the cardholder.
- The government is not responsible for any purchases made with lost or
stolen cards after the card issuer has received notification of
loss, theft or cancellation of the card.
- Interest will only be paid to the credit card company if the government is
responsible for late payment to the card issuer.
You are also reminded that any disputed items are to be reported to the card
issuer and are to be handled as per the procedures described in the policy.
In addition, the appropriate internal control procedures described in the
Acquisition Cards Program - Management Guide should be followed closely for
these transactions. Any unidentified transactions or activities should be
reported to the card issuer as soon as possible after being discovered.
Security issues:
Although this restriction is now removed, we encourage departments and
agencies to be prudent in using this facility. We recommend that only those
transactions with "reputable" companies and over "secure"
sites be authorized. The transaction limit must be within the levels of
procurement authority delegated to departments; however, some departments have
restricted the transaction limit on some or all cards to a lower limit to suit
their specific requirements.
It is difficult to properly define "reputable" companies in order
to ensure the maximum possible security for these transactions. In general
terms, we mean companies that have been established for some time and that are
known to your organisation. Additional security instructions are provided in the
annex to this notice.
Finally, it is also recommended that you consult with your Departmental
Security Officers (DSOs) and informatics experts in order to determine if any
other security measures may be required for your particular organisation. We
also invite you to distribute this document to all personnel involved in
procurement activities within your department or agency.
Should you have any questions concerning this policy please contact me or
Robert Berniquez at (613) 957-9672.
Rod Monette
Assistant Secretary and
Assistant Comptroller General
Annex
You must adopt the following practices to maximize the transaction security:
1. Do not transmit your credit-card number unless the "locked
padlock" icon appears on your browser.
a) You should only purchase goods and services over an internet connection
that relies on security protections such as Secure Socket Layer (SSL). When
SSL is activated, a "locked padlock" icon appears
on your browser. SSL connections encrypt the information moving between your
browser and the merchant's electronic commerce system, which ensures that your
personal and credit card information is shielded from prying eyes.
b) When using a secure connection (SSL), the Web site address usually will
have "https" in the address instead of the usual
"http." An icon of a "locked padlock"
will appear in the border of your browser window, indicating that your
connection is secure. You can click the "locked padlock"
to verify the identity of the site to which you are connected. For example,
Internet Explorer and Netscape Communicator have built-in support for SSL and
other security features. When you use these features, you're well positioned
to perform secure electronic transactions.
2. You should also be aware of the "Pagejacking" or
"Spoofing" phenomena. This illegal activity consists of replicating an
existing web site to mislead visitors. It consists of stealing the contents of a
Web site by copying some of its pages, putting them on a site that appears to be
the legitimate site. People are then invited to the illegal site by deceptive
means. Companies of any size can fall prey to these relatively easy attacks.
Users who enter Web page addresses (known as Uniform Resource Locator)
directly on their Web browser address line, by selecting it from a bookmark, or
by clicking on a properly coded link on another site will not be subject to
pagejacking. The problem most typically occurs when clicking site descriptions
that result from searches at major search engine sites. It is therefore
essential that users verify the results of the address observed in 1b) above,
with the actual address of the desired merchant's site.
3. As mentioned above, it is important to know with whom you are dealing.
Some key features such as an email address, postal address (not a PO Box) and
telephone number will facilitate your communications with suppliers should you
need to do so. You should also look for details such as a "Quality
Seal" that will describe how the company will protect customer privacy, how
well they disclose sales terms, the warranty of the products being purchased,
the exchange and/or reimbursement policies and how they handle customer
complaints.
4. You should consider printing or saving the on-line order forms for future
reference. These on-line order forms, once filled in, can be time-sensitive i.e.
they are not kept on screen very long and therefore should be printed or saved
when on screen if the information is required for future reference.
|