Here’s an interesting one: when your card is compromised and a new card number is issued, many banks will allow charges to continue using the old card number, provided the charges were occurring on an ongoing basis from that same merchant before the compromise. This is designed to prevent disruption of ongoing subscriptions in the event of compromise.
About a month ago I was reviewing my statement and noticed I was being billed by Spotify twice each month. I contacted Spotify to ask why they were billing me twice, and they asked for my account info and indicated my account was only being billed once. They then asked for the first 6 and last four of my car number to search that way, and again indicated I was only being billed once.
I sent them a screenshot of my online account statement at which point they agreed they were billing me twice but could not find the origin of the duplicate charge.
Finally it dawned on me - my bank had sent me a new card a long while back because of a suspected compromise. I’d had that card for a long time, and had the number memorized. I gave the old card number to them and bam - they found the source of the fraudulent transactions.
This means that even though my card number was compromised and cancelled, it can still be used for payment at any merchant for which I’ve had an ongoing subscription. Since these are merchants I do business with, it makes it doubly hard to notice the fraudulent charges as seeing “Spotify” or “Netflix” or whatever does not raise my eyebrow. Only in a careful month by month review did I pick up on the fraudulent transactions.
As a side note Spotify was very quick to reverse the duplicates and appear to have blocked that old card number from being used in their system again. Although a frustrating experience overall, they were very good to work with.
This happened to me in a different way: I was giving recurring payments to a .org. I kind of knew how much I wanted to give, but instead of a lump sum I figured I would do recurring for a year. It would give them a little more and seemed to make the guy at my door happy.
Now with this organization, you can donate via the website but to cancel a recurring donation requires a phone call. I called a couple of times to try to cancel but didn't reach anybody. I admit- I wasn't too concerned (a good organization overall), but I was a little pissed nevertheless.
My credit card was skimmed, and I had it cut off. I figured this would solve my problem with the donations as well. Nope.
About two years later my wife (who actually handles the bills in the family) asked me if I wanted to continue those payments. I was pretty shocked- and persisted with the phone calls until I reached somebody to cancel.
Surprise!
I consider the "signing up can be done on the web, but canceling requires a human" to be a dark pattern.
> I consider the "signing up can be done on the web, but canceling requires a human" to be a dark pattern.
And illegal in California as of last year. Hopefully them forcing companies to allow online cancellations will mean it's available for the rest of us too.
Yes, this is the correct fix (well, not the part where everybody else has to rely on California but the rule that if you can sign up by method X you can cancel that way too)
My ex-employer was surprised that when they were obliged by law to stop routing everybody though a retention call center customer satisfaction improved. Too much of their own Kool Aid had been drunk, they'd persuaded themselves that customers wanted to be reminded of the benefits and offered other deals by a human so much that they'd hate even having the option to just press "Cancel" on the web site and leave that way.
It's an old Joel Spoelsky lesson, if you make leaving a pleasant experience that customer may come back some day. If not you're never going to see them again.
Several years ago, that dark pattern caused me to cancel my online NY Times subscription shortly after I started it, because the discovery of that process annoyed me so much.
I dislike (dark patterns) and fear (bad implementations) subscriptions so much - I've put off implementing any kind of subscription for a SaaS product I built.
I've just decided to let the customer pre-pay for up to the limit I'm willing to guarantee that I'll keep running the service, even at a loss (two years at the moment). I figure if the service isn't worth a user's time to click once to re-subscribe every few years, then I probably shouldn't be taking their money.
I admit this might be a bit naive from a business perspective :)
One thing I did to spot these dark patterns is have two credit cards.
The first is used for re-occuring bills (Netflix, Phone, internet etc).
The second is for everyday spending (Amazon, groceries, sundries etc). The second has an extremely low threshhold for alerts and emails about pretty much every transaction.
If something were to set itself to autopay, I'd notice very quickly since card 1 pings me, and card 2 only should have <10 merchants per month for easy auditing.
(Paying in cash for entertainment expenses also makes auditing easier. Having every cup of coffee or burrito clogging your statement makes it hard to spot double charges and other small frauds)
For what it's worth, we've seen that situation from the other side as well. A customer who subscribes with us wants to update their payment details, but in fact creates a new account with a different ID, new card, etc. They don't do anything to close down their old account, we have no way to know that john.smith@example.com is the same as j.smith.1980@example.com and we don't even see their card details, and so of course our system will charge both of them as if they were two different customers.
Sometimes customers do get confused by the automatic update mechanisms for card details, but most of the time it seems to be a useful facility that saves hassle for our subscribers and avoids unintended cancellations. I do think the card companies should be much more transparent with both cardholders and merchants about how their systems actually work, though. We've had occasions where something unexpected has happened, a customer has contacted us to ask what is going on, and all we could do was contact our card payment service to ask them because we had no idea either.
In both cases we're talking about a customer who has deliberately signed up and provided us with their contact and payment details. It just happens to be the same customer twice, but providing different details so we can't automatically determine that they're the same person.
In an ideal world, perhaps we would verify exactly who each customer is for legal purposes, but in reality there's no good way to do that, so we accept a fraud risk that is small in practice in return for streamlining the process for both ourselves and our customers. There are systems that will shift that liability if you go through additional authorisation checks at purchase time (and in Europe, use of these systems will become mandatory in most cases later this year) but it is not clear that these are actually helpful, in that they may do more harm than good.
As for having a law against anything, I don't see how this is much different to when I buy my shopping from a grocery store and all I need to provide for payment is my card and PIN (and not even the PIN for most low-value transactions these days). Or of course I can pay completely anonymously using cash.
> In both cases we're talking about a customer who has deliberately signed up and provided us with their contact and payment details. It just happens to be the same customer twice, but providing different details so we can't automatically determine that they're the same person.
Isn't a user required to enter their name and address information for you to be able to charge the card? Doesn't that have to match the card?
> I don't see how this is much different to when I buy my shopping from a grocery store and all I need to provide for payment is my card and PIN (and not even the PIN for most low-value transactions these days).
Your card provides name and address information. PIN provides "security" (for some definitions of security...).
> Or of course I can pay completely anonymously using cash.
If a user is somehow paying for services with cash online... doesn't that rather necessitate that they can't enroll in automatic billing? So, how does that have anything to do with the topic at hand: automatically billing against cards which are no longer valid.
Isn't a user required to enter their name and address information for you to be able to charge the card? Doesn't that have to match the card?
No and no.
There is a certain amount of basic checking of some parts of an address that can optionally be done. It's nothing like as comprehensive as you seem to be expecting, though.
Your card provides name and address information.
Not necessarily, at least not that the merchant can see in full. Again, just because the card issuer has such information, that doesn't mean the merchant necessarily does.
If a user is somehow paying for services with cash online... doesn't that rather necessitate that they can't enroll in automatic billing? So, how does that have anything to do with the topic at hand: automatically billing against cards which are no longer valid.
The point was that you don't necessarily have to know someone's identity definitively to trade with them lawfully.
I had my credit card number stolen and the thief used it to subscribe to Netflix. 16 times. That's right, they created 16 Netflix accounts in one day using the same credit card details. Apparently a basic sanity check like "Are we already billing this card?" is not implemented at all, and Netflix support admitted as much.
I think it's in the merchants' interest to proceed with lackluster sanity checks, knowing that some erroneous charges will make it through. It's got to be a multimillion dollar business collecting fees from the unaware, the scammed, and the dead.
Canceling my dad's cable service was peculiarly cathartic. They wanted to talk to him, not me: "he's dead." They stumbled over points in the script where they're supposed to flip the cancellation into a bigger subscription: "no, he's still dead." They awkwardly prodded about survivors: "none of your business; if anybody wants your service they don't want it under the name of a dead man, will you cancel the service now?" This would have been quite painful if I didn't get so much glee from saying "no" to salespeople...
is there technology around this? i mean i can imagine an API where the CC# itself is only necessary in the first transaction with a new vendor, during which the vendor makes a (signed) request for a vendor-specific token to use for future payments, and can forget the CC# immediately; future payment requests use the same signature chain and the vendor-specific token... making it easy to invalidate any/all of these tokens if the data is compromised, or if the end-user wants to invalidate a specific recurring payment, etc.
This is exactly how Stripe works. Except you don't even need the credit card info at all, even initially – Stripe handles that.
Now that's currently only online, but they're releasing a point of sale product soon too. But even with that, you connect to their card reader and receive a token that you can use.
This is how every payment provider/processor I've ever worked with works, going back more than a decade.
In fact Stripe and Braintree (and I'm sure others) have systems where the implementing service doesn't get the credit card number at all- the payment information is sent directly to the processor from the client and the implementing service only gets a vault token.
They do this based on decades of near unanimous feedback and in many cases anger so cardholders do not have to change all their billing setups just to block txns to new merchants going forward.
I started being charged $17 a month for Amazon Prime. I contacted Amazon and confirmed I didn't have, and had never had Prime. It was a fraudulent third party.
I think the scam must rake in huge sums of money, given that it could slip by for months unnoticed.
EDIT: Amazon confirmed my card was never used to purchase Prime for me or anybody else. The scammers were just charging my card $17, and hiding the charge under the name 'Prime Subscription'.
>EDIT: Amazon confirmed my card was never used to purchase Prime for me or anybody else. The scammers were just charging my card $17, and hiding the charge under the name 'Prime Subscription'.
They were probably just trying to confirm the card is active. Stuff like gas stations and vending machines can set off alerts since they're common vectors. (Ex: my issuer called me immediately after I first got a card and bought gas for it, because someone who previously didn't buy gas doing so in an area far from home was a common fraud pattern)
If the small charge works they can try bigger items.
They were stealing actual money on labeling it as a “Prime Subscription” to avoid detection and direct the issue initially, when detected, at Amazon, which probably averages getting them a few extra billing cycles each time they pull the scam.
No, Amazon confirmed my card wasn't even being used for Prime at all. They just charged my card with the name 'Amazon Prime', and were withdrawing money from it.
I just went through this with Chase. Their criteria is six prior recurring payments for a given merchant to allow payments to continue on the old number from that merchant.
Not just in case of a compromise - many issuers will let things go through to the old # when it expires and a new card is sent out.
This can create unforseen problems that aren't fraud related as well.
For example, I had to replace my iPhone at one point, and update my 2FA codes. (Even if you back up your iPhone reguarly, 2FA codes in Google Authenticator are not backed up)
Unfortunately, I'd lost my recovery code for one service provider. They wanted the last 4 of my CC a one of the points of data in their verification process.
Then told me it was incorrect.
Luckily, the CC issuer (who sadly, for security reasons I'd rather not name) had some excellent customer service.
They realized that they had been billing the previous card number since it was a known re-occurring payment, and were able to work with me to retrieve the last four digits of the old card number via an old statement, enabling access to my account.
I've since moved over all my reoccuring payments to that issuer. (And made a document outlining which merchants have which cards on autopay so I can update them when cards are re-issued + backed up my 2FA recovery codes in a secure, offsite, physical location)
That has become a pet peeve of mine. When the answer to "Can you give us the last four of the CC you used for your last purchase with us?" is "Well, that was a few years ago. I shredded that card when it expired as I always do. This is not information that I have and frankly it isn't even information that you should still have under PII laws."
This very program by visa allowed LA Fitness to steal several hundred dollars from me after I thought I had unsubscribed (they are also known for being unscrupulous about customer subscriptions). I thought I had cancelled my account, and was unworried about them continuing to charge me because I had recently gotten a new card number anyway. Well, unfortunately WF/Visa had given them my updated card info without my knowledge at a time when I didn't check my statements for several months (I audit charges MUCH more regularly now). They had kept my account active because I hadn't realized how convoluted their "unsub" process was and hadn't jumped through all of their over-the-phone hoops. Long story short I was out several hundred dollars over the course of almost a year, and the CC people were unwilling to help because the charges went undisputed for many months. A very angry visit back to the LA Fitness location was the only thing that remedied the continuing subscription, but I never got my money back. Caveat Emptor.
I worked for a small local company that stored credit card details in plain text. Including CVV. I brought it to there attention and the owner just hand waived me off. “The working system was working”.
This is why cards like The Apple Card, which allows you to generate cards on the fly, is better for consumers. Just generate a card for LA Fitness and delete it when you close your account. This would eliminate a big chunk of fraud (including the shady shit LA fitness does) when your card details are sitting in many databases (some of which are not encrypted in anyway).
I’m not saying Apple card is great, just that feature of it.
Privacy.com does this too with debit cards for free. You link it to a bank account, and it generates disposable card numbers that can be locked to a given merchant and given a maximum amount that can be charged at once before they decline.
+1 to Privacy, it's great. I believe they also give you 1% cashback when you sign up (at least based on the page cashback.privacy.com).
Note that with the Apple Card, while you can regenerate the number, it shouldn't be used in the same way as Privacy/other virtual card services. See this TC article[0]:
> Card numbers are manually regenerated only, and do not automatically rotate. There is, currently, no single-use number support or single-merchant number support.
Also, it is very likely the "regenerate" function will send your new card to Visa/Mastercard's card updater service.
That's a great feature and one I was looking for two decades ago - glad that somebody is finally using technology to empower users in this way and it should be the norm for all online card usage. I just lament that it has taken a 3rd party card offing to accommodate this and it is not being driven by the main card players (Visa, Mastercard).
Many banks (Citi, for example, has it at https://www.cardbenefits.citi.com/Products/Virtual-Account-N...) have offered this for almost a decade. Visa and MC both support it at the network level globally, and are in fact the reasons that virtual account numbers work.
Consumers have routinely ignored this feature. Like so many security things, it's just not sexy enough for them to care and take on the hassle of older clunky solutions. The rise of digital payments and the movement away from a plastic card is making this much easier on people, by embedding the virtualization in the flow automatically instead of making users take steps to generate and manage.
But those who cared could always do this. It's just that so few cared.
Too few creditors offer the feature even though the networks support it. PNC wouldn't, their customer service lady looked at me like I had three heads when I asked her if they supported it. Amex's blue card used to and may still support one shot numbers that were very easy to generate online. Capital One's "Eno" browser plugin generates merchant-specific card numbers but the plugin makes it difficult to generate numbers to use off-web although the backend validates the merchant name and rejects charges that don't match the expected merchant as I discovered with a Dell-bound number on the Dell factory clearance site.
Capital One once denied me the ability to pay for a hotel room in Canada, after I had explicitly contacted them in advance with my travel plans, had booked the plane tickets on the same card, and paid some small items in the airport back home and upon arrival. Given how many transactions they process it should have been abundantly clear I was using my card in a normal manner.
I would never trust them to handle anything more complex like virtual card numbers.
For me it is the first time I'm aware of it being offered in any form, though I'm in the UK and gave up upon credit cards years ago. But certainly from my perspective and online and tv adverts locally, i've seen nothing and I certainly would of noticed that or of watched the whole youtube advert without skip as something I'd be interested in.
Glad that its a bigger thing than beyond Apple, so I'm wondering if it is a case of it being a customer ignored feature, or case of it and it's virtues being bestowed upon the customer. I can't say how customer relations and usage of such features and how the customer is informed in America. I am aware though that credit card usage in America is more prevalent than the UK. Least that was the case years ago, may of changed. Certainly debit cards are more utilised in the UK and may of become more common in America.
Though it does make a credit card more palatable for me again, so thank you for making me aware of this, shame all those credit card spam and junk mail offerings never mention such a feature, but I'll shall enquire.
The last time I tried citi virtual card (1-2 years back), the interface was useless to be helpful. It ate up so much time to setup or verify card details that I did not want to use it. And then once when a merchant was declined, for no reason, citi customer support did not understand virtual cards themselves.
Gyms always run unsubscribe scams like this. It's rife here in the UK. After getting screwed similarly I said fuck it and just run around the local park.
Is there something like a small claims court you could take this to? The case seems decent - they have a convoluted unsubscription process on purpose which misled you into thinking you unsubscribed, and you didn’t use their services after that.
I'd be supprised if this is not in violation of some law or another. Consumer protection isn't that bad in the UK and if I was in this situation then I'd start with the police as this is however you dress it fraud. After all they took money they had no legal claim in taking as the agreement had been canceled.
Would it stand in court though? Wouldn't the court see the bad faith behind the terms, given they were designed to mislead the customer as opposed to having a legitimate reason behind them?
This isn't new and has existed for nearly 20 years. Visa's implementation is called VAU (Visa Account Updater[1]) and Mastercard's is ABU (Automatic Billing Updater[2]).
Issuers (banks) have to provide the details of these new cards to Visa/Mastercard, and the systems are certainly capable of updating the details of debit cards. It sounds like TD had a bug where they sent updates for cards which they shouldn't have. ie: TD broke their own rule about only enrolling credit cards.
Card details which do not automatically update are really frustrating for customers – especially on services like Uber. In nearly all cases the customer is going to go and give the merchant their new card details anyway. My understanding is that if card is compromised (as opposed to being lost) then banks should not provide the new details. There isn't really much _additional_ privacy or security risk here beyond those posed by merchants/acquirers holding onto card details already – provided banks do it right.
Though zooming out a little, long-lived payment tokens shared among every merchant a user shops with being the way things are still done is crazy. How long it has took to roll out EMV (chip cards), especially in the US, shows how hard it is to effect change in vast, three+ sided marketplaces like card networks.
I prefer to be able to choose whether my card details are updated. By default I do not want updates. I will definitely give Uber my new card, but I like how card expiration kills subscriptions I don't care about without me having to do anything.
Don’t do this. Your card not working (generally speaking) doesn’t automatically end a contract.
You could end up with the subscription not ending but just accruing as a debt, which the vendor could then sell on to a debt collector at a later point.
If you just let a card expire you’re generally relying on the good will of the vendor to treat it as a cancellation.
Issuing banks don’t have to fail a transaction just because the card is expired anyway, so this isn’t actually a guaranteed way to end the charges anyway.
Of course issuing banks may even approve charges on a closed account too. In other words, relying on the bank to end payments has all kinds of failure modes.
A subscription is a bit different as you pay in advance. If the charge fails, you generally lose access to the subscribed service. That's not the same as using an AWS resource, being invoiced for that use, then not paying it.
That’s fair and in most cases, you can just update your card information and nothing is lost. But what if it is for a renewal of something like a domain name or backup service where you would lose data if you don’t renew?
> but I like how card expiration kills subscriptions I don't care about without me having to do anything.
I'm not advocating against choice of automatic updates... but shouldn't you come up with a different way to kill off subscriptions you don't care about? My VISA doesn't expire till 2023
It's far from ideal, but I like the reset provided by card expiration. Better would be if the issuer provided a web interface to turn off any subscriptions at will. Asking the merchant to do it is usually very annoying and time consuming by design, so sometimes it just doesn't get done.
No guarantee that your card issuer will decline a transaction on an expired card. Plus, that may not actually cancel the subscription and you could continue building a debt. Just cancel the sub.
You can tell your credit card company that you lost your credit card if you need to change your credit card number. But usually, my bank tells me at least once a year that I need a new number because my card has been compromised.
This is not ideal which is why whenever I can I setup autopay through my bank's website.
The most shady places are probably gas stations/gas pumps and restaurants. They like to install card skimmers on gas pumps around here, maybe that is where it originates from. But most of the time, they cancel my card before any suspicious transactions are recorded.
There really ought to be an option to instruct a card company to do a "hard termination". Seems like a rule that would be right in the wheelhouse of the CFPB (in the US).
It sounds convenient for things like Uber, but should still be opt-in. Since the vendor can apply charges arbitrarily, having your new CC details shared without your knowledge doesn't feel right. I've never seen this anywhere, usually you get a warning that 'your payment method will expire' a few weeks in advance. Might be a US only practice?
It’s definitely a thing in Europe, but many merchants don’t bother to support it. Large ones like Amazon definitely do though, as do all merchants who use Stripe.
It's not just uber, think of all the utility companies and quarterly/annual billers who you put on your card to get rewards points. Who even knows how to change those, or which ones to change? Will you go through a year of statements?
There are lots of ways to make this better, but it exists because the consumer complaints when banks didn't do this outweighed the few who wish to have payment vehicles actually expire.
Banks could do a better job of listing the recurring billers, companies could do a better job of making it easier for you to update payment info (en masse), and networks could stop hiding behind issuers and big TV ads and provide direct-to-consumer controls even for banks that don't choose to offer them.
Disclosure: at the time of this comment, I work for a bank.
I’m personally on the side of opt-in/choice, maybe due to the traditional nature of controlling your credit card.
Although, I’d love to see a show of hands from anyone IT related that hasn’t witnessed an outage caused by an expired card/billing account issue. Oh the SSL certs, exchange servers, SaaS apps, domains, etc I’ve seen go up in flames temporarily because of billing issues over the years.
This has been happening in the US for a long while. Several years ago I had significant trouble terminating an Xbox Live Gold account. Exasperated, I canceled my card and got a new one. The next two months the charge was still on my bill. I eventually discovered the problem related to two separate accounts linked to my email address with and without a period in it, with Google considering the addresses identical and Microsoft considering them different.
In the United States, you can also work directly with your credit card company (or bank, in the case of a debit card) to stop a recurring charge. This is possible due to the Fair Credit Billing Act [1]. You might also be refunded for recent charges, if you have evidence that you contacted the vendor and attempted to terminate the service and were billed anyway.
so I have to record my phone conversation with the vendor I want to cancel just Incase I need to go to my bank and have them terminate? This is ridiculous and why consumer protection laws should be a thing.
You are the bank's customer. They don't need to protect the ability of vendors to bill you. I've had this argument before. "If canceling this subscription/ability to bill causes a dispute or debt or contract issue with the vendor, that's on me. I don't need you being 'helpful', or worse, _refusing_ to remove unauthorized transactions."
Yep, I think it was started in 2009 or 2010. I remember being called by the banks trying to sell us this new "updater" service and I remember they eventually rolled one out where even if you got a new card number they would update it depending on what category of merchant you were.
Same happened to me circa 2007, I filled a chargeback with my bank and strangely Microsoft didn't bother to ban me as a result - just degraded me to silver as they should have.
This is clearly a valuable service that just makes sense. To me the only viable argument here is the age old Opt In versus Opt Out argument that the United States and Europe can never agree on.
To me this makes perfect sense to be Opt Out. I would hazard a guess that 90% or more of consumers absolutely want their merchants to all keep going as expected when they for example lose their credit card on a trip and call to get a new one sent to them.
Keep in mind that the average consumer (at least in my observation) saves ALL of their credit card information for easier purchases in the future, a practice that probably has a much smaller overlap with the traditional HN crowd.
Read the article, the credit card company didn't provide PayPal the info. As the story unfolded, we find out that the update was done through PayPal shenanigans that they refuse to explain:
"After initially telling Go Public it got Acuña's information from the "account update services," PayPal backtracked a few days later, saying the account updater service "doesn't apply" in Acuña's case.
So, how did PayPal get her new expiry date? It won't say, citing customer confidentiality — even though Acuña agreed to waive confidentiality to allow the company to answer Go Public's questions."
As other comments have pointed out - the facility to update the details of an expired or cancelled card has been available to merchants / payment providers for years if not decades. I do recall that the type of transactions had to be specifically marked as so at the initial authorisation stage ("Continuous Authority" IIRC) and that would allow the initial auth code to effectively be reused. Visa and Mastercard would then provide a service that allowed you to update card details for those that required it (I can't remember if it was push or pull though).
I do also recall there was a problem when 3D Secure / Verified by Visa was involved - IIRC while the Continuous Authority transaction type allowed an indefinite length of reuse, 3D Secure / VByV only allowed up to 90 days (may have changed or may be a detail of the spec I'm forgetting).
The point is, don't assume cancelling your card will result in cancelling of any recurring debits or allow you to get out of a contract. You have to cancel them with the merchant to make sure they don't continue to charge your new card.
Expiry dates also aren't always as accurate as you might imagine. You'd think that a card that expires April 2019 wouldn't work in May, yet sometimes (but not always) they will for a month or two, or longer.
December of the current year works for expired credit cards. If a new card was issued with the same number but a different expiration date, you can get a successful payment authorization. It's a little trick.
I wish I had this with my web clients in past, I had to recover their micro sites many times because they had forgotten providing new payment information to the provider.
This is a well known feature in the SaaS billing world - most large gateways and billing systems (think Stripe, Recurly, Zorua, etc...) have supported this for years. In a recurring revenue model MOST clients are paying via credit card and even when you are a small company, credit cards expiring creates a significant challenge. The auto updating of cards at the gateway / payment processor level help mitigate the impact.
Do we still need the credit card schemes for payments? Could move to a world of bank account to bank account payments, stripping out the payment layers?
By having Amex between me and a whole host of recurring-billing vendors, I have a kind of firewall. Amex is on my side reflexively if there's some kind of disagreement or dispute, and will reverse the charge.
If it were my debit card in play, or bank-to-bank transfer, the money would actually be GONE until I was able to convince the merchant, or the merchant's bank, to give it back.
By having Amex between me and a whole host of recurring-billing vendors, I have a kind of firewall. Amex is on my side reflexively if there's some kind of disagreement or dispute, and will reverse the charge.
But this is a double-edged sword. There is always a cost to this kind of scheme, and one way or another it is always going to be passed on to the customer. There is also an inherent risk in this kind of scheme, in that some quasi-judicial process is making decisions about who gets to keep the money in the event of a dispute, and if it goes the wrong way in one party's view then the result is either losing out on money they think belongs to them or taking more expensive action to recover it, possibly via the courts.
Ultimately I think everyone has to learn to be more responsible about these transactions. Of course it shouldn't be possible for a merchant to take money from a customer without authorisation, but equally it shouldn't be possible for a customer to arbitrarily reverse a payment several months later even if the merchant has done nothing wrong, or to cancel the payment authorisation as some sort of informal proxy for cancelling a legal contract with a merchant.
Aside from the excessive time periods for challenging payments retrospectively, I think the direct debit schemes tend to be better at this sort of thing than the card schemes. Typically, you have a specific payment authorisation (which can be cancelled from the customer's side) and you also have a requirement to give advance notice of recurring payments so there is time for the customer to act if they don't agree with them for any reason.
I'm really not sure what you're saying here, which is surprising because you said so much of it.
>But this is a double-edged sword.
No, it's really not.
Yes, I pay Amex an annual fee for the level of card I carry. I've done the math, and I get a good value back for this fee -- especially given the level of customer service AX provides. Paying for a service does not make this a double-edged sword; there's no downside for me here.
>There is also an inherent risk in this kind of scheme, in that some quasi-judicial process is making decisions about who gets to keep the money in the event of a dispute, and if it goes the wrong way in one party's view then the result is either losing out on money they think belongs to them or taking more expensive action to recover it, possibly via the courts.
This is true in literally any transaction, at some level. I mean, even in a cash-on-the-barrelhead scenario there's the possibility of bad faith or swindles, so I have no idea what your point is.
>Ultimately I think everyone has to learn to be more responsible about these transactions.
This is one of those things that sounds true and wise, but is actually just noise.
>Of course it shouldn't be possible for a merchant to take money from a customer without authorisation,
It will perhaps surprise you that it ISN'T, and that the disputes in discussion are generally over overbilling or billing after permission has been revoked.
>but equally it shouldn't be possible for a customer to arbitrarily reverse a payment several months later even if the merchant has done nothing wrong, or to cancel the payment authorisation as some sort of informal proxy for cancelling a legal contract with a merchant.
Truly, the merchants are fortunate to have such a wise defender in Silhouette!
>I think the direct debit schemes tend to be better at this sort of thing than the card schemes.
You have not even APPROACHED explaining why you think this, or why anyone should agree with you.
As long as there are automated billing systems, there will be errors.
In the scenario I outline, Amex functions as an intermediary, so a screwup doesn't literally take money from my account. This is objectively preferable to your scenario, where that's precisely what would happen.
I had a similar problem with a website that sells t-shirts. I signed up for a particular t-shirt campaign, providing my credit card number. The campaign didn't get enough joiners, so was cancelled. A few months later, I have to get a new number because of fraud elsewhere.
Fast-forward a year after that t-shirt campaign and now I'm seeing a charge for the shirt. Um ... no? I call the bank and they immediately reverse the charge. But oddly (I thought at the moment) the agent on the phone mentions how they'll let previously used merchants continue to charge on the old number.
I contacted support for the t-shirt folks, and they acknowledged that they'd re-initiated the campaign, found they had enough takers, charged folks, printed shirts and were sending them out. I asked about email notification. Oh, yes, of course they sent email notifications. The date on the email I finally received (four days later) was dated two days after the charge appeared.
I still received a t-shirt and the charge didn't reappear.
This happened to me with an oil company. The refilled my tank when it was 3/4 full and charged me a couple hundred for the privilege and acted like they were doing me a favor. I had just gotten a new card and they complained that they weren't able to charge me. Two weeks later they charged me anyways.
For years AmEx has allowed recurring charges to continue after a number or expiration date change. But I'm pretty sure they don't share new information with the merchant as part of that.
It's nice after a stolen card number to know recurring charges will continue automatically.
it's so annoying. Is there any card which can give me something like notification on the mobile app before subscription will occur? Maybe like ones per day with all tx will go to happen and I manually can cancel undesirable part of them. Sort of 2FA for all transaction, where the second authenticator is the mobile app. that's would be ideal for me.
In their FAQs:
"Visa and Mastercard expiry dates will automatically update in your PayPal account using the Visa and Mastercard update feature offered to all card holders."
and their T&c's say:
"3.1 Linking your Funding Source. You can link or unlink a debit card, a credit card, a pre-paid card (in certain cases), a bank account and/or PayPal Credit as a Funding Source for your Account. Please keep your Funding Source information current (i.e. credit card number and expiration date). If this information changes, we may update it at our sole discretion without any action on your part, according to information provided by your bank or card issuer and third parties (including but not limited to our financial services partners and the card networks). If you do not want us to update your Funding Source information, you may contact your bank or card issuer to request this or remove the Funding Source in your Account Profile. If we update your Funding Source information, we may retain any preference setting attached to it.
You may choose to confirm your card or bank account, so that we can verify that the card or bank account is valid and that you are its owner. We may allow you to do this by following the Link and Confirm Card process (for cards) or the Bank Confirmation process (for bank accounts) or other processes which we may notify to you or which we may publish from time to time."
Intersetingly, it says "If you do not want us to update your Funding Source information, you may contact your bank or card issuer to request this" so I assume you can ask the bank to not share updated details with anyone.
Seems there is also an API that banks could use to let customers know which retailers received the updated details - that would be nice, would also help to see wwhat services that are no longer used still have card details on file.
I wonder if this is something that Stripe et all would ever implement on their side, so that it could be an opt-out per service - ie they just ignore the update for a particular card and service implementation?
Has anyone considered that your information is uniquely yours and it has value so unless you have given permission for it to be used the people paying for it and/or selling it owe you a royalty ?
Hacker News has a disproportionate number of those people. Many other people have never considered it. Many other people have considered it and chosen convenience over consent.
About a month ago I was reviewing my statement and noticed I was being billed by Spotify twice each month. I contacted Spotify to ask why they were billing me twice, and they asked for my account info and indicated my account was only being billed once. They then asked for the first 6 and last four of my car number to search that way, and again indicated I was only being billed once.
I sent them a screenshot of my online account statement at which point they agreed they were billing me twice but could not find the origin of the duplicate charge.
Finally it dawned on me - my bank had sent me a new card a long while back because of a suspected compromise. I’d had that card for a long time, and had the number memorized. I gave the old card number to them and bam - they found the source of the fraudulent transactions.
This means that even though my card number was compromised and cancelled, it can still be used for payment at any merchant for which I’ve had an ongoing subscription. Since these are merchants I do business with, it makes it doubly hard to notice the fraudulent charges as seeing “Spotify” or “Netflix” or whatever does not raise my eyebrow. Only in a careful month by month review did I pick up on the fraudulent transactions.
As a side note Spotify was very quick to reverse the duplicates and appear to have blocked that old card number from being used in their system again. Although a frustrating experience overall, they were very good to work with.