Rescinded [2009-10-01] - Acquisition Cards - Internet Transactions (Notice)
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
Notice
DATE: April 9, 2001
TO: Senior Financial Officers (SFOs) and
Senior Full Time Financial Officers (SFFOs)
SUBJECT: Policy on Acquisition Cards-Internet transactions
Introduction:
The subject policy has been revised to remove the previous restriction concerning the use of acquisition cards to make purchases on the Internet.
The previous policy stipulated that credit card (account) numbers could not be transmitted on the Internet. This was based on the fact that the Internet was not considered sufficiently secure to allow the transmission of the card number and other information required by merchants.
Liability:
The banks (National Bank (MasterCard) and Citibank (Visa)) have confirmed that the government and cardholder liability for Internet related transactions would be identical to the liability associated with regular type transactions. The details pertaining to risks are provided in the policy under Appendix A - Guidelines of the policy and include the following:
- The card-issuing company will not, under any circumstances, hold the cardholder liable for fraudulent Internet transactions.
- Personal employee information, including home address and telephone number, will not be provided to the contractor under any circumstances.
- The maximum government liability for unauthorized use of the card is limited to $50.
- Unauthorized use refers to cases that do not benefit the government and are initiated by someone other than the cardholder.
- The government is not responsible for any purchases made with lost or stolen cards after the card issuer has received notification of loss, theft or cancellation of the card.
- Interest will only be paid to the credit card company if the government is responsible for late payment to the card issuer.
You are also reminded that any disputed items are to be reported to the card issuer and are to be handled as per the procedures described in the policy.
In addition, the appropriate internal control procedures described in the Acquisition Cards Program - Management Guide should be followed closely for these transactions. Any unidentified transactions or activities should be reported to the card issuer as soon as possible after being discovered.
Security issues:
Although this restriction is now removed, we encourage departments and agencies to be prudent in using this facility. We recommend that only those transactions with "reputable" companies and over "secure" sites be authorized. The transaction limit must be within the levels of procurement authority delegated to departments; however, some departments have restricted the transaction limit on some or all cards to a lower limit to suit their specific requirements.
It is difficult to properly define "reputable" companies in order to ensure the maximum possible security for these transactions. In general terms, we mean companies that have been established for some time and that are known to your organisation. Additional security instructions are provided in the annex to this notice.
Finally, it is also recommended that you consult with your Departmental Security Officers (DSOs) and informatics experts in order to determine if any other security measures may be required for your particular organisation. We also invite you to distribute this document to all personnel involved in procurement activities within your department or agency.
Should you have any questions concerning this policy please contact me or Robert Berniquez at (613) 957-9672.
Rod Monette
Assistant Secretary and
Assistant Comptroller General
Annex
You must adopt the following practices to maximize the transaction security:
- Do not transmit your credit-card number unless the "locked padlock" icon appears on your browser.
- You should only purchase goods and services over an internet connection that relies on security protections such as Secure Socket Layer (SSL). When SSL is activated, a "locked padlock" icon appears on your browser. SSL connections encrypt the information moving between your browser and the merchant's electronic commerce system, which ensures that your personal and credit card information is shielded from prying eyes.
- When using a secure connection (SSL), the Web site address usually will have "https" in the address instead of the usual "http." An icon of a "locked padlock" will appear in the border of your browser window, indicating that your connection is secure. You can click the "locked padlock" to verify the identity of the site to which you are connected. For example, Internet Explorer and Netscape Communicator have built-in support for SSL and other security features. When you use these features, you're well positioned to perform secure electronic transactions.
- You should also be aware of the "Pagejacking" or "Spoofing" phenomena. This illegal activity consists of replicating an existing web site to mislead
visitors. It consists of stealing the contents of a Web site by copying some of its pages, putting them on a site that appears to be the legitimate site.
People are then invited to the illegal site by deceptive means. Companies of any size can fall prey to these relatively easy attacks.
Users who enter Web page addresses (known as Uniform Resource Locator) directly on their Web browser address line, by selecting it from a bookmark, or by clicking on a properly coded link on another site will not be subject to pagejacking. The problem most typically occurs when clicking site descriptions that result from searches at major search engine sites. It is therefore essential that users verify the results of the address observed in 1b) above, with the actual address of the desired merchant's site. - As mentioned above, it is important to know with whom you are dealing. Some key features such as an email address, postal address (not a PO Box) and telephone number will facilitate your communications with suppliers should you need to do so. You should also look for details such as a "Quality Seal" that will describe how the company will protect customer privacy, how well they disclose sales terms, the warranty of the products being purchased, the exchange and/or reimbursement policies and how they handle customer complaints.
- You should consider printing or saving the on-line order forms for future reference. These on-line order forms, once filled in, can be time-sensitive i.e. they are not kept on screen very long and therefore should be printed or saved when on screen if the information is required for future reference.