DATE: April 9, 2001
TO: Senior Financial Officers (SFOs) and
Senior Full Time Financial Officers (SFFOs)
SUBJECT: Policy on Acquisition Cards-Internet transactions
Introduction:
The subject policy has been revised to remove the previous restriction concerning the use of acquisition cards to make purchases on the Internet.
The previous policy stipulated that credit card (account) numbers could not be transmitted on the Internet. This was based on the fact that the Internet was not considered sufficiently secure to allow the transmission of the card number and other information required by merchants.
Liability:
The banks (National Bank (MasterCard) and Citibank (Visa)) have confirmed that the government and cardholder liability for Internet related transactions would be identical to the liability associated with regular type transactions. The details pertaining to risks are provided in the policy under Appendix A - Guidelines of the policy and include the following:
You are also reminded that any disputed items are to be reported to the card issuer and are to be handled as per the procedures described in the policy.
In addition, the appropriate internal control procedures described in the Acquisition Cards Program - Management Guide should be followed closely for these transactions. Any unidentified transactions or activities should be reported to the card issuer as soon as possible after being discovered.
Security issues:
Although this restriction is now removed, we encourage departments and agencies to be prudent in using this facility. We recommend that only those transactions with "reputable" companies and over "secure" sites be authorized. The transaction limit must be within the levels of procurement authority delegated to departments; however, some departments have restricted the transaction limit on some or all cards to a lower limit to suit their specific requirements.
It is difficult to properly define "reputable" companies in order to ensure the maximum possible security for these transactions. In general terms, we mean companies that have been established for some time and that are known to your organisation. Additional security instructions are provided in the annex to this notice.
Finally, it is also recommended that you consult with your Departmental Security Officers (DSOs) and informatics experts in order to determine if any other security measures may be required for your particular organisation. We also invite you to distribute this document to all personnel involved in procurement activities within your department or agency.
Should you have any questions concerning this policy please contact me or Robert Berniquez at (613) 957-9672.
Rod Monette
Assistant Secretary and
Assistant Comptroller General
You must adopt the following practices to maximize the transaction security: