If I pay my NTL (or any other company) bill by debit or credit card each month, only the card is not in my name, if the company accepts the payment, are they breaking the law by not obtaining permission from the cardholder?

I know this sounds like one of those situations where they're acting illegally but I'd like to know if anyone knows the definative answer.

Can't see how this has any link to the DPA in any way, shape or form.

Any information held on their system about the cardholder has been provided by the cardholder for payment purposes only and is not being passed on to third parties for any reason AFAIK.

Or am I missing something in your post ie what you see as a possible breach which is escaping me?

EDIT: Should the card be being used without authorisation then yes there is an offence being commited but not by NTL as far as I can see but again this would have no link to the DPA.

Any information held on their system about the cardholder has been provided by the cardholder for payment purposes only

But how do they know that? How do they not know the card is not stolen or I'm not using it without the cardholder's permission? I thought under the DPA all companies have to make certain security checks to ensure I have permission to use it?

As I understand it they will have had to confirm with any caller that they are the card holder you cant just give them card details for someone else and say "OK Charge it to Mr Hussain's card please".

Yes it is possible for people to give false information but as I said this, whilst being an offence, this would have nothing to do with the DPA.

As I understand it they will have had to confirm with any caller that they are the card holder you cant just give them card details for someone else and say "OK Charge it to Mr Hussain's card please".

...which is exactly what I've been doing (with the cardholder's consent of course) and I want to know if by accepting payment this way they are breaking the law.

Yes it is possible for people to give false information but as I said this, whilst being an offence, this would have nothing to do with the DPA.

Ok, so shall we just discuss whether or not it's to do with the DPA or shall we go about trying solve my possible legal issue?? :D

As Sociable has said there is no DPA issue. The fact that the card holder would need to be picked up in a subject access request is the only DPA issue I can think of.

If you give them the card details without the cardholders consent then you are committing credit card fraud. NTL will be charged back if the cardholder complains and they would pursue the account holder who has the responsibility to pay the bill for an alternative payment method.

Simple really.

I don't know how NTLs card billing works, whether this is a continuous authority or alternate approval method, but the charge is equivilant to a mail order (Cardholder not Present) transaction, which always carries a greater risk of fraud or chargeback.

AAHH see what you are after now. :)

OK Looks like they may have been at fault initially for not checking specifically that you were the cardholder. This could just be a simple misunderstanding in that they believed you were the cardholder.

No offence as such will have taken place as it would be possible to reverse the transaction if and when the cardholder challenges the payments on his card.

That would of course leave you being overdue on payment and also possibly liable for procecution for misuse of the card should it be seen that you had in fact not had authorisation originally.

The situation changes somewhat with the passage of time as a failure to challenge that debit to the account can be seen by NTL as confirmation of the validity of the arrangement by the cardholder.

Though for a CNP transaction the chargeback can occur up to 12 months later.

(sigh....)

Ok, cheers both! But the cardholder has given me consent to use the card, this will never be disputed. I just want to know if the company has committed any offense by accepting the details without asking to speak to the cardholder or even asking me if I have their permission.

It's not best practice, but they have not committed an offence just potentially exposed themselves to a greater risk of CNP transactions, but then they know where the service they are offering is so can come after you if the card is subsequently declined, compare say to an e-tailer who finds this has occured, gets a chargeback but has shipped the goods.

I just want to know if the company has committed any offense by accepting the details without asking to speak to the cardholder or even asking me if I have their permission.

I don't see how. When I take a credit card in the course of my business (which is usually as a "cardholder not present" transaction") I have to take "reasonable precautions" as defined by the card processing service that it's a valid transaction ie checking the address details match those of the registered card holder and, if possible, checking the CV2 "three security digits" on the back of the card.

I've not been advised by the card processors that I would be committing any sort of offence if I don't do this, only that I risk having the transaction charged back to me because it's not valid.

I suppose, theoretically, if I did it repeatedly I could be held complicit in credit card fraud or some such, but it's very unlikely.

I am not 100% sure, but am 99.9% sure that the the data protection act states that information must be obtained fairly and with 'due dilligence' or something like that. If they NEVER asked whether you were the card holder of whether you have the cardholders permission then they would ( imo ) have failed that check. This of course assumes that its covered by the DPA in the first place ( and i would have though it is )

One question though.. whos name is the ntl account in? is it the same at the card account?
If it is then it would be fair to assume you are the cardholder as you would have been asked who you were to verify the account etc, BUT if they are different then they should definitely have asked to speak to the cardholder, as it should have been obvious that the ntl account holder and the cardholder could not be the same person...

I don't see how. When I take a credit card in the course of my business (which is usually as a "cardholder not present" transaction") I have to take "reasonable precautions" as defined by the card processing service that it's a valid transaction ie checking the address details match those of the registered card holder and, if possible, checking the CV2 "three security digits" on the back of the card.


But what about when they don't take ANY precautions other than to ask me what is written on the card?

i think the issues are getting confused, as i understand it, you are asking if they have broken the law, the only law they *may* have broken is the DPA because they are collecting personal information about someone without checking for their consent ( ie cc info ) this has nothing to do with credit card fraud, They could just as easily be asking for the persons address and not checking who is actually giving them that information... ( ok, maybe not address, but you get the idea )

As I said it looks as it was a simple misunderstanding about who you were when you called but that said I can now see a potential involvement of the DPA :rofl:

OK here goes:

They can only discuss the account with the account holder so first have to establish you are the account holder.

Having established that you are the account holder if you then go on to request to use someone elses card for payment, at that point, they should ask for your permission to talk about your account to the Cardholder.

With me so far. :)

Obviously it is possible for them to have thought they had done this and that they did in fact talk to both individuals although in this case I suspect they did not follow the exact process given above and so yes may have caused a technical breach of the DPA.

AFAIK it's all about acting reasonably in terms of confirming that confientiality and security is being checked so "accidental" breaches like this would be unlikely to cause action being taken other than the credit company being able to claim a refund.

When taking a payment I always ask if the card is in the persons name I am speaking with otherwise I ask to speak to the card holder and then confirm it's ok to take the payment and the amount being debited :shrug:

The poor old DPA seems to be everyones whipping boy today!! A man at the Tesco.com helpline (David) told me today that he couldn't put any notes on my account with them about an ongoing complaint because "the data protection act prohibits me entering any comment on to your account". Yet another company that don't know what the DPA means :rolleyes:

On a more "on topic" matter, Russ to be honest I really wouldn't worry about the DPA, from my experience the Information Commissioner really couldn't give a monkey's toss if people or companies break it, they just sweep it under the carpet, ask Frank! :rolleyes: :(

The situation is I pay my bills with my father's credit card - there are reasons why I do it this way but I won't go in to them right now.

He always allows me to use it and I inform him each time I do in case the company wants to speak to him to get his permission etc.

But when I call and tell them I'll pay my bill and give them the details on the card, it's painfully obvious that it is not my name on it (my surname is different to my dads') but they still take the card details without question.

When taking a payment I always ask if the card is in the persons name I am speaking with otherwise I ask to speak to the card holder and then confirm it's ok to take the payment and the amount being debited :shrug:

But how do you know that it's the *real* card holder you're speaking to?!

As I said earlier Russ the problem is that the validity of the arrangement should have been confirmed first time it was used but after that, the fact it has been accepted as OK, will be seen as validating the later use of the card in the same way as well.

The reason for this is that in law custom and practice can be used as authority until such time as it is confirmed by the parties that it should no longer be the case. In effect you have an implied contract based on how you have each acted on previous transactions.

But how do you know that it's the *real* card holder you're speaking to?!

Well I go through security for the account first and then ask for the name on the card, if they don't match then ask for card holder but ultimately it's virtually impossible over the phone to prove that someone isn't who they say they are.

Takes me back to me surgery days, it was golden rule that pregnancy test results were NOT given to any male be it husband/boyfriend etc. One chap rang in for his wifes result, sorry no can do. Two minutes later in the most ridiculous falsetto voice he rang again trying to pretend to be the missus :erm: now there was a job that was a minefield in the confientiality stakes.