Credit card data on Internet: User beware

One of the best things about the Internet is how it has taken all the legwork out of shopping.

Without so much as having to put on shoes, you can compare prices, read product reviews, monitor sales and chat with stylists.

To buy something and have it delivered to your doorstep, you barely have to lift a finger - just enough for a few mouse clicks.

Sometimes you don't even have to do that much. Gift websites that record important dates and send flowers on your behalf ensure that you never miss a birthday or anniversary, through virtually no effort of your own.

Retailers can also "remember" your regular purchases - such as cat food or laundry detergent - and allow you to schedule automatic deliveries every month.

Such recurring services are possible because you can - and indeed are encouraged to - leave multiple billing and shipping addresses, as well as all your credit card information, on file with the retailer.

And that is also one of the biggest dangers of the Internet: that it is taking a lot of the brainwork out of shopping. Online short cuts allow consumers not just to save energy in choosing what to buy and when to buy it, but also to bypass their usual mental safeguards each time they make a purchase.

That would be fine if all retailers were trustworthy and all transactions went smoothly. But in the real world, the convenience of recurring services comes at a potential cost - which I discovered recently on my credit card bill.

An international financial newspaper had charged me $270, a fee I had not expected. Yes, I had taken out an annual subscription to the paper, but that was in September last year, and I had not agreed to renew the subscription.

In fact, I had planned to cancel the subscription when I received the renewal reminder, which I expected as a standard procedure from any recurring service.

Perhaps the reminder e-mail had gone into my spam folder. I duly sifted through messages offering to make me a millionaire while working from home or granting exclusive access to private photo galleries, but I couldn't find any e-mail from the newspaper.

I then logged on to my account on the newspaper's website, which is when I found something even more disturbing.

The credit card that I had used to pay for my subscription to the newspaper had actually expired in December. I had renewed the card then, which meant the cardholder name and the card number remained the same - but the expiry date and CVV security code on the back of the card had changed.

And yet the newspaper had somehow been able to charge another year's subscription fee to my - expired - credit card.

I immediately sent e-mail messages to the newspaper in question as well as my credit card issuing bank to ask for an explanation. Their replies raised even more questions.

The newspaper's service representative - let's call him Mr M - told me, rather glibly, that the company recognises "how important reliable access to our world-class content is to our subscribers and we make every effort to provide a continuity of service".

This apparently includes participating in schemes provided by Visa and MasterCard "for the updating of card details wherever possible so that in a continuous billing model such as ours we can avoid unwanted breaks of service".

Mr M added: "A number of attempts are then made to process a payment should one fail initially and often this is successful."

Put simply, merchants such as the newspaper are tying up with credit card issuers to "update" the details of customers' expired cards - so they can go right on charging them.

How do they know what to update? My bank shed more light on this practice.

"The merchant will not be able to charge on a card that has expired," it assured me. "However, there is a possibility that the merchant might have tried (to use the card) with a different expiry year."

I had a mad vision of the newspaper's accounts executive patiently typing in various expiry dates before finding one that worked. But a quick online search led to the discovery that most renewed credit cards are just extended by three or four years.

In other words, after the newspaper tried my credit card and had the transaction declined, it may have simply shifted the expiry date three or four years forward and tried again - and this time it would have gone through.

What about the CVV code on my credit card? The three- or four-digit card verification value is supposed to ensure added security for online transactions by providing proof of possession of the physical card.

Again, my bank helpfully provided some insight. Although CVV codes are "usually required" for online payments, this is not necessarily true for recurring transactions, it said.

In my case, "the merchant's bank may have informed the card-issuing bank to process the charge as a recurring transaction", the bank added.

This means that "even if the cardholder's credit card has expired, the recurring charge will still go through as long as the credit card account is valid and active".

Merchants also have a choice as to whether to ask their customers to furnish CVV codes, a former banker friend told me. The code is not actually compulsory for online transactions.

Fortunately for me, the poor customer service provided by the newspaper also offered me a way out of my problem.

"As agreed on T&C, you need to notify us any time before the next renewal date in order to process the cancellation," Mr M had told me sniffily. "I have checked our records but am unable to find any related request for cancellation."

So I looked up the subscription terms and conditions, which stated that I was entitled to a reminder e-mail at least 14 days before each renewal. I confronted the newspaper with this, and another representative agreed to refund me the unused portion of the renewed subscription, amounting to about $250.

Rattled by this experience, I set about trying to delete my credit card data from the Internet. The only problem: I couldn't recall all the websites on which I may have saved my card details. I had never bothered to remember.

When asked, many friends couldn't recall their online shopping history either. Our carelessness - coupled with sneaky tactics by some merchants - means credit card information may become as difficult to purge permanently as nude photos.

That's a real problem because all personal data stored online faces security threats we're just beginning to understand.

Amid the near-constant stream of customer information and password leaks, consumers need to take more precautions in online shopping, especially when signing up for recurring services or saving their data on file.

In Japan, a nation that still largely eschews credit cards, this problem is sidestepped by allowing consumers to pick up their online purchases at their nearest convenience store, where they can also pay in cash.

Another solution could be to ask for a new number when you renew your credit card, or switch to another bank every once in a while.

For me, as soon as my outstanding refund is processed, I plan to cancel my current card immediately and apply for a different one. I may even do so at a different bank, just to be safe.

No doubt this will cause some inconvenience. But in the long run that's a small price to pay for financial safety.

fiochan@sph.com.sg


This article was first published on Nov 2, 2014.
Get a copy of The Straits Times or go to straitstimes.com for more stories.