<
 
 
 
 
×
>
Vous consultez une page Web conservée, recueillie par Bibliothèque et Archives Canada le 2006-11-30 à 20:46:33. Il se peut que les informations sur cette page Web soient obsolètes, et que les liens hypertextes externes, les formulaires web, les boîtes de recherche et les éléments technologiques dynamiques ne fonctionnent pas. Voir toutes les versions de cette page conservée.
Chargement des informations sur les médias

You are viewing a preserved web page, collected by Library and Archives Canada on 2006-11-30 at 20:46:33. The information on this web page may be out of date and external links, forms, search boxes and dynamic technology elements may not function. See all versions of this preserved page.
Loading media information
X
 

Canada Flag

Treasury Board of Canada Secretariat - Government of Canada

Policy on Acquisition Cards-Internet Transactions,


 

DATE:

April 9, 2001

 

TO:

Senior Financial Officers (SFOs) and
Senior Full Time Financial Officers (SFFOs)

 

SUBJECT:

Policy on Acquisition Cards-Internet transactions

Introduction:

The subject policy has been revised to remove the previous restriction concerning the use of acquisition cards to make purchases on the Internet.

The previous policy stipulated that credit card (account) numbers could not be transmitted on the Internet. This was based on the fact that the Internet was not considered sufficiently secure to allow the transmission of the card number and other information required by merchants.

Liability:

The banks (National Bank (MasterCard) and Citibank (Visa)) have confirmed that the government and cardholder liability for Internet related transactions would be identical to the liability associated with regular type transactions. The details pertaining to risks are provided in the policy under Appendix A - Guidelines of the policy and include the following:

You are also reminded that any disputed items are to be reported to the card issuer and are to be handled as per the procedures described in the policy.

In addition, the appropriate internal control procedures described in the Acquisition Cards Program - Management Guide should be followed closely for these transactions. Any unidentified transactions or activities should be reported to the card issuer as soon as possible after being discovered.

Security issues:

Although this restriction is now removed, we encourage departments and agencies to be prudent in using this facility. We recommend that only those transactions with "reputable" companies and over "secure" sites be authorized. The transaction limit must be within the levels of procurement authority delegated to departments; however, some departments have restricted the transaction limit on some or all cards to a lower limit to suit their specific requirements.

It is difficult to properly define "reputable" companies in order to ensure the maximum possible security for these transactions. In general terms, we mean companies that have been established for some time and that are known to your organisation. Additional security instructions are provided in the annex to this notice.

Finally, it is also recommended that you consult with your Departmental Security Officers (DSOs) and informatics experts in order to determine if any other security measures may be required for your particular organisation. We also invite you to distribute this document to all personnel involved in procurement activities within your department or agency.

Should you have any questions concerning this policy please contact me or Robert Berniquez at (613) 957-9672.

Rod Monette

Assistant Secretary and
Assistant Comptroller General


Annex

You must adopt the following practices to maximize the transaction security:

1. Do not transmit your credit-card number unless the "locked padlock" icon appears on your browser.

a) You should only purchase goods and services over an internet connection that relies on security protections such as Secure Socket Layer (SSL). When SSL is activated, a "locked padlock" icon appears on your browser. SSL connections encrypt the information moving between your browser and the merchant's electronic commerce system, which ensures that your personal and credit card information is shielded from prying eyes.

b) When using a secure connection (SSL), the Web site address usually will have "https" in the address instead of the usual "http." An icon of a "locked padlock" will appear in the border of your browser window, indicating that your connection is secure. You can click the "locked padlock" to verify the identity of the site to which you are connected. For example, Internet Explorer and Netscape Communicator have built-in support for SSL and other security features. When you use these features, you're well positioned to perform secure electronic transactions.

2. You should also be aware of the "Pagejacking" or "Spoofing" phenomena. This illegal activity consists of replicating an existing web site to mislead visitors. It consists of stealing the contents of a Web site by copying some of its pages, putting them on a site that appears to be the legitimate site. People are then invited to the illegal site by deceptive means. Companies of any size can fall prey to these relatively easy attacks.

Users who enter Web page addresses (known as Uniform Resource Locator) directly on their Web browser address line, by selecting it from a bookmark, or by clicking on a properly coded link on another site will not be subject to pagejacking. The problem most typically occurs when clicking site descriptions that result from searches at major search engine sites. It is therefore essential that users verify the results of the address observed in 1b) above, with the actual address of the desired merchant's site.

3. As mentioned above, it is important to know with whom you are dealing. Some key features such as an email address, postal address (not a PO Box) and telephone number will facilitate your communications with suppliers should you need to do so. You should also look for details such as a "Quality Seal" that will describe how the company will protect customer privacy, how well they disclose sales terms, the warranty of the products being purchased, the exchange and/or reimbursement policies and how they handle customer complaints.

4. You should consider printing or saving the on-line order forms for future reference. These on-line order forms, once filled in, can be time-sensitive i.e. they are not kept on screen very long and therefore should be printed or saved when on screen if the information is required for future reference.

Date Modified: 2001-04-09
Government of Canada