Friday, May 28, 2010

Credit Card "Security"

I've run into a bit of a problem with, and I thought I'd share what has happened in case someone can help me understand it better.

About a month ago, I placed an order with them. That's nothing new. I've been an customer for more than 10 years. About a week later, my stuff arrived, and everything was peachy...or so I thought.

Last Sunday, I got an email from them saying that another customer complained that the charges for my order ended up on their credit card. By the time I got that email, I had 3 other ones saying that my order had been refunded (my order ended up in 3 shipments, each charged separately). Those refund emails included the last 4 digits of the card I used to pay, which were wrong. Instead of AABC, I typed CCAB.

But being a responsible credit-card-accepting vendor, requires more than just a card number. They also require a billing address and the 3-digit security code on the back of the card. I entered my address and the 3-digit code from my card when I placed the order. Since I messed up the card number, the billing address and security code did not match the card number I entered, but the charge went through anyway! The card number happened to match someone else's card and whatever computer system verified the payment information didn't check the address or security code.

The email I first got from them said that they could charge a card stored in my account already and that I could authorize payment if I told them the last 4 digits of one of them. I'm not sure what cards I still have stored in my account, so I thought I'd log in to see, but my account has been disabled, so I can't check. I emailed them back saying they could charge my card AABC if it's in there, but if not, they could call me, and I gave them my phone number. I also asked how this could have happened.

I got an email back a couple days later blaming Visa for the mistake. They said that they just pass all the card info the customer enters to Visa, and Visa accepts or rejects the charge.

They also told me to call customer support and tell them I need to pay for this order over the phone. I called support, gave them the order number, and told them I need to pay for it, but the guy told me he can't access my order because my account is locked. He told me to wait 24-48 hours and try logging in again to change the payment for that order. Based on previous experience with entering incorrect payment info on an Amazon order [1], I didn't think I could change the payment info on a completed order in their web interface, and I suspected he didn't understand that the order was already completed. I told him that, but he just repeated what he told me, so I told him I'd try it. It's been 48 hours now, and my account is still locked.

Getting the run-around with support techs who don't know what's going on and don't seem to communicate with each other is frustrating, but nothing new.

What's new for me is that I bought almost $300 of stuff from using another person's credit card. I would have thought that in 2010, using a stranger's credit card would have been a lot harder than that.


[1] If you buy mp3's from Amazon, you authorize payment and then can download the songs immediately. However, Amazon waits to charge your card, probably to let you buy multiple songs and group them all into one transaction. So if you accidentally use an expired debit card to authorize the payment, you get an email an hour or so later saying that your card was rejected, long after you've already downloaded the songs. Because the order was completed with items delivered, you can't change the payment info for the order. I emailed support about that, and they had no way for me to pay for it over the phone either. I had to go find all the songs and buy them all again with a new card.


  1. Visa charges considerably on their transactions to cover up the "messes" created.

    Credit card fraud is so easy... the system is based on trust, because it is cheaper to trust than to misstrust. That is why we use paper money, it is simpler to accept it as having value than to have to carry gold coins arround...

    The idea with VISA is that you are responsible for monitoring your statements and ensuring that they are all right. If you find that something is not right, they will respond, though in spain you do have to report it to the police in writing and then they reimburse the amount.

    And Amazons call line... tell me about it... Same in Spain... Calls End... thats what I call it, where calls die... Their objective is to get you of the phone, and it is easier making up convincing "stories" than having to think, to make the effort to "understand" to gather information... Oh well, they aren't paid to do that either. It is called Corporate Strategy... And there are huge think tanks... consulting companies, paid millions to come up with ideas like this.

    Sorry if I write too much... Been playing Clock Words ;P

  2. That's interesting. I had no idea it wasn't more secure. I've had my card declined for making mistakes before, so they do check some things. I don't know why they don't check better, especially with today's technology.

    It seems like one of those things a big corporation would put off until something happens with the media. Then their PR will scramble to make it sound like they weren't negligent, and they'll redesign their corporate logo, and all will be good.