Someone asked me to pay a bill using docusign and entering my credit card information into one of those free text boxes They couldn't understand why I refused to do it.
It doesn't really spell out, though, how they differentiate CC info and avoid storing it with the rest of the data in the pdf form. There's just some hand wavy language about "Bank-grade Security". I suspect this means they store the CC data, which would be significantly different from how must online merchants operate.
As someone who has worked on a similar product, I would imagine they only store a token given to them by their payment gateway. The actual CC information is held by the PCI compliant payment gateway, while Docusign can use the token to charge a card without storing compromising information.
Would be good if that were spelled out though. From the outside, you click a link and see a pre-filled PDF, as both the end user and the person that sent the form. There's no obvious magic that it's auto-detecting cc like data and storing it differently than the other fields in the pdf.
With credit cards, you personally do not have much to worry about, since your card issuer holds the ultimate liability for any fraud that occurs. Just be careful to use a credit card (attached to a reversible ledger) and not a debit card (attached to a less-reversible cash account).
This is not an accurate description of the difference between credit cards and offline debit cards with regard to disputed transactions.
In both cases, fraud disputes are handled in the same way. Either the issuer or the account holder suspects fraudulent transactions and the bank engages an investigation in order to determine veracity of the claim.
Where things differ is that the onus of proof for credit card accounts is on the merchant to prove the transaction is legit. When an offline debit card is used, the funds are deducted from the account when the merchant captures funds and, therefore, the onus of proof lies with the card holder to prove it is fraudulent.
Liability, in this context, is non sequitur as fraud claims exist in either scenario and one party or the other must provide proof to support their position. The other, by definition, is responsible for said funds.
I'm not really sure what you mean regarding "a reversible ledger", as this has nothing to do with credit card transactions.
It's not really that simple either. For the US, there are different paths for liability limits, reporting periods, etc, for the different combinations of credit vs debit and card-present vs card-not-present and Visa vs Mastercard. The rules are a mix of various consumer laws like "Truth in Lending" as well as Visa and MasterCard policy. There are areas where Visa and MC differ in policy.
Your note about "onus on proof lies with the cardholder" is less true for Visa, for example.
Are you sure? I don't know how credit card companies in the US behave, but here in the Netherlands I called up mastercard to ask them whether I am liable for any fraud that occurs if I do something like this (or send credit card info over email, like so many hotels want). The credit card company tells me, yes I am liable for any fraud that occurs, because email and unecrypted text boxes on websites are known to be insecure, and so it can be argued that it's my own fault if credit card fraud occurs.
In AUS it's much like chatmasta says: if its a CC linked a true "credit" account the issuer has the value entirely underwritten. If you can reasonably prove that someone stole it for example, then you'll get your money [credit] back.
If it's linked to a savings account and it's a Visa/MC debit card, for example, then it's a different story. The funds are not insured and so if you loose it it's on you.
Even if the credit card company decides to hold you liable, you're still better off, because they have to follow court procedures and get a judgment against you before they can actually take your money.
With a debit card, the money is just gone and the burden is generally on you to find some way of recovering it from whoever stole it.