> The would turn me down because I am concerned about my financial transactions?

No, they would turn you down because you cannot present to them their risk guarantee criteria that enable their low prices.

> No, they would turn you down because you cannot present to them their risk guarantee criteria that enable their low prices.

What kind of risks are they putting up with without a photograph of my credit card?

Stolen cards? People deactivate their cards when the cards are lost. And if people don't, then the thief has an active credit card and can very well send the copy.

I won't make my payments? How does the photo of my credit card help? It makes sure I have a credit card - it doesn't make sure you can make transactions on my card(limit reached, card blocked, payment disputed) etc.

Banks might be less likely to reverse a charge if you have a photo of the credit card and an ID of its holder. [citation needed]

My company provides a free online form service and I've banged my head regarding the abuse that hits the fans: Nigerian spammers using our service to do identity theft, disguised password collection forms, harvester accounts being automatically created on a daily basis and what not. I'd hate to imagine what Hetzner has to put up with.

Ultimately it's their choice to set their abuse verification threshold and their prices, and your choice to accept it or go elsewhere.

I am from India, have a server with them and was not asked for any documentation. May be it is a recent change.

Given that you pay for the server in advance, a VPS is essentially zero risk for them. I am also surprised by this requirement.

>Given that you pay for the server in advance, a VPS is essentially zero risk for them.

It is not zero risk, the risk is quite high. A credit card company may reverse a transaction reported as fraudulent unless they perceived the fraud report was incorrect / steps had not been taken to prevent fraudulent card use. Web servers are good resources for uses which are often funded by fraud.

> Given that you pay for the server in advance, a VPS is essentially zero risk for them. I am also surprised by this requirement.

I am still not fully convinced, but this post makes some good points.

http://news.ycombinator.com/item?id=3899929

It's definitely not a recent change, they required a copy of a photo ID as early as 2005 when I got my first server there. Don't remember being asked for a credit card scan ever though.

I didn't have to give them anything (I'm in the UK) but a client in Australia did. So maybe there's an EU thing at play (or just a risk assessment based on countries' fraud levels).

I got my server just over two years ago and they requested a copy of photo ID, but not of credit card.

It's normal. Myself and another person I know had to do it too.

The first reason has been explained already: They are afraid of (online) credit card and identify theft.

The second reason, why a lot of people (especially from Germany) will not be asked to provide a scan, is that they have a credit history in Germany. It is really common to check your credit history first. The german credit agency they are using probably has no information about you, that is why Hetzner wants to make sure that you are not trying to defraud them.

It can be really tough to buy stuff online in Germany if the local credit agencies don't have information about your credit history.

when i ordered, i shared my apprehension with the credit card phone, but they wanted only the last 4 numbers to be visible, i blacked out the other numbers with mspaint and sent it across.

>My bank lets me creates virtual credit cards and link with my card/account.

What bank are you using?

ICICI

TLDR: You do almost the same thing in the USA, only it is automated. We have the patriot act which requires collecting a lot of info-- the US has centralized databases (namely credit reports) that allow easy authentication of people. Outside the USA, they don't have the patriot act, but they have a lot of similar laws, and thus collecting a copy of your passport lets them know you're not an identity thief and lets them satisfy "know your customer" laws in their country. In the US the same thing can be authenticated by running a check thru a database, though in the US the law doesn't care whether you're an identity theif (which is why you don't need photographic proof) but whether you're on a terrorist list... the latter can be done just from the info you give.

They are the target of people who want to run torrent servers, criminal irc chat rooms, and stuff like that. These are not the customers they want. They also don't' want to incur the cost of setting up a dedicated server for someone whose just giving them stolen credit card info.

Since often stolen credit card info is distributed in text form, the theifs don't have access to the physical card. Showing you have access to the physical card and the physical passport does not prove that you didn't steal both from the rightful owner, but eliminates those people who just bought a list of credit card numbers.

While stolen cards are often cancelled relatively quickly, this can take anywhere from days to weeks to process thru, by which time they will have incurred the real labor costs (that they charge the 150 euro setup fee to cover) only to have those charges reversed because the card was stolen.

One thing that was illuminating for me as an american is the discovery that our banking system is set up very differently from many other countries. Thus things that are easy for us, are not as easy for them. (Taking a credit card is harder for a merchant outside the USA because the credit card system originated in the USA under the US legal structure. This is why shopping online is less common in, say, south america, than it is in north america.) Other things that are hard for us are easy for them-- if you want to give your friend $20, you just log into your bank and send him the money. The entire purpose of paypal was replaced outside the US as a simple feature on bank websites.

Asking for a photo of your passport and credit card is not really out of line. I understand why you would be hesitant to give these things up as an american-- when I first started doing business internationally, I was very hesitant as well. After awhile, though, you realize that trustworthy businesses are trustworthy. The data I'll be putting on hetzner servers is much more valuable than the image of my passport (Which every low paid border agent at a third world country I visit gets a copy of.)

If I can't trust them with my passport image, can I trust them with my data?

> This is why shopping online is less common in, say, south america, than it is in north america

not completely true: I'm a south american (Chilean) currently living in the US. Shopping online in south america is not as common because: a) access to credit cards is not as common as in the US b) there's only few companies doing the inter-bank connection and credit card processing, which btw charge some excessive fees, c) because of the previous two things, there's no culture for online payments, although that's changing. Oh, yes... also d) interest rates are stupidly high.

> if you want to give your friend $20, you just log into your bank and send him the money

Totally true: internet banking is so, so much easier in Chile than here in the US, that I really miss it! Back in Chile I could easily transfer money from my personal account to a friend's account instantly and from the bank's web site, with no fee. No wire transfer but seamless inter-bank money transfer. The security while it could improve is very good...

Anyway, just a side comment on comparing online and internet banking in south america and the rest of the world :)

You can most likely do that if your friend is using the same bank. Also, paypal is always an option.

Yes but there are so many banks this is unlikely. In the rest of the world it just works.

I mostly agree with what you say.

I was a bit angry because they didn't mention this at the time of signing up. It might be somewhere in the t&c but I think this kind of information should be explicitly told viz. we require your passport and credit card photo to sign you up with our service.

I didn't like the callousness with which they request the information. Another commenter mentioned he talked to them and they said only last 4 digits of the card would do for the photo. Now isn't this the kind of information they should be providing along with the request?

I understand I am giving them my card data for payments and the photo of my card contains less data than what is already there with them. But there are legal requirements for storing credit card info on which I can count. There are no such requirements for a photo of credit card exchanged over mail.

> The data I'll be putting on hetzner servers is much more valuable than the image of my passport

I was more concerned about credit card. I did find the passport request a bit weird, but then I had the same line of thought as you - a copy of my passport is with my employer, my landlord, custom offices and a bazillion other places. Identity theft is a possibility but an established business comes very low on the list of threats.

> I understand why you would be hesitant to give these things up as an american-- when I first started doing business internationally, I was very hesitant as well.

I am an Indian living in India. India as a nation is a late entry in online playgrounds, and as a result, most of us are skeptic when dealing online. As I detailed in my parent post, I mostly use my virtual credit card to make the payments with the limit set to the amount I am going to be charged to avoid being scammed(page says x, you charge me 100x). That is not a concern with established businesses though.

> a copy of my passport is with my employer, my landlord, custom offices and a bazillion other places

It is? Where do you live that this is a normal thing?

You are renting a server in Germany. If you were a german citizen, they would ask you a copy of your id. Since you are a foreigner they ask you for a foreigner identification, which is the passport.

Aside from the passport, when I first rented a server there I had to send a ¡PHOTOCOPY¡ of my credit card and send via FAX. That was the truly weird thing :)

I tried everything to not send things via fax, but then I understood that they must receive hundreds of request from fake people with fake id and fake credit card. If they don't have at least the photocopy of those it means that you're probably a fake trying to get a server with someone else data.

In the end I decided to send the data anyway, since it's a huge corporation and they're based in Germany. If it was based in some shady place, I would never send the data.

As a brazilian, I find it somewhat strange, but not that much.

Not only we have a national ID system (not one, but two systems, both with unique numeric IDs), we are required to photocopy them, along with proof of residence and several other things (for instance, something to prove that you do have an income and how much), in order to perform simple actions such as cellphone purchases (with a plan). You'd have to provide "only" your ID (CPF) with a pre-paid plan.

To be employed at most places, that same info has to be provided, more or less (you don't need to prove income, but you'll probably be required to provide a criminal record).

This is probably because of how trustworthy we are perceived to be. Nothing gets done without at least a proof of identity (sometimes, even using check or credit card purchases at regular stores). Not to mention the fact that we are..."advised" to carry ID papers everywhere, and the police will be somewhat displeased if they decide to take an interest on you and you have nothing with you to prove who you are, even though I am not aware of anything resembling a "Stop and Identify" law. I was never asked to provide ID, though. Were I black and poor, my guess is that it would have happened several times already, along with random street searches.

All that said, I've never had to provide my passport to anyone, anywhere, except US embassies. Most brazilians are not required or even expected to have one (and is not required when travelling inside Mercosul).

> It is? Where do you live that this is a normal thing?

When I joined my first job, my employer asked for my passport(id proof), college mark sheets(unless you score x, you aren't eligible for the job), high school mark sheet(10th and 12th grade - some employers require a min of x grades to be eligible) etc. It's quite common for the employer to ask for the id proofs and grade sheets for the first job. I held only one job, that too fresh out of college; so I can't tell what documents are required when you change jobs.

As far as landlord goes, there is a legal requirement that landlords know the identity of the tenants. For their own safety and to fulfill legal requirements, landlords ask for some sort of id proof. It need not be passport though.

Same procedure in South Africa, though generally the local identification document is used not the passport. For example to get a cellphone contract: Proof of residence (utility bill), the ID mentioned above, a bank statement and a payslip.

> I am an Indian living in India.

Unless you were looking for something more specific.

Just curious; it seems very odd to me - definitely something that would be strange to most people in the US.

Is that common practice in India, are are your circumstances unusual?

"You do almost the same thing in the USA, only it is automated. We have the patriot act which requires collecting a lot of info-- the US has centralized databases (namely credit reports) that allow easy authentication of people. Outside the USA, they don't have the patriot act, but they have a lot of similar laws, and thus collecting a copy of your passport lets them know you're not an identity thief and lets them satisfy "know your customer" laws in their country."

This is quite possibly one of the oddest things I have read all day, and what, the 5th time the patriot act has come up in this thread? What in the world does the Patriot Act have to do with credit card transaction authorizations? You also seem to imply that credit reports are used to authorize individual card transactions, please provide a citation as I have never heard of this.

Your post very nearly hit on exactly the issue, but was clouded by this first paragraph.

So, let's make it clearer: the reason for asking for a scanned copy of the credit card is to prove the person who made the transaction had a physical copy of the card with an impressed number on it. This is used as a means of reducing the chance of loss in the case of a chargeback as online transactions do not require swiping a card through a POS terminal which normally proves the presence of the card by reading the magnetic stripe[1]. An impression or image of a card is one of the most important means of reducing your liability as a merchant during a chargeback[2]. The scanned copy of the passport is just further validation. We do the exact same for any transaction initiating from a country where we have received a heightened rate of chargebacks from customers based in that country.

Your confusion about the Patriot Act seems to not differentiate the idea of an individual transaction from setting up a transaction account. Perhaps you should read up on that more. The Patriot Act anti-money laundering aspects are not about validating every single transaction through a government database, but about validating the identity of a person requesting to open a new account. [3]

[1] http://www.aic.gov.au/documents/B/6/4/%7BB64DD6E5-3B79-4920-... [2] http://www.heartlandpaymentsystems.com/article/Manually-Impr... [3] http://www.fincen.gov/news_room/rp/rulings/html/312factsheet...