
Credit cards automatically providing updated card info to subscribing merchants - emptybits
https://www.cbc.ca/news/business/banking-information-shared-with-third-parties-1.5102931
======
davidgh
Here’s an interesting one: when your card is compromised and a new card number
is issued, many banks will allow charges to continue using the old card
number, provided the charges were occurring on an ongoing basis from that same
merchant before the compromise. This is designed to prevent disruption of
ongoing subscriptions in the event of compromise.

About a month ago I was reviewing my statement and noticed I was being billed
by Spotify twice each month. I contacted Spotify to ask why they were billing
me twice, and they asked for my account info and indicated my account was only
being billed once. They then asked for the first 6 and last four of my car
number to search that way, and again indicated I was only being billed once.

I sent them a screenshot of my online account statement at which point they
agreed they were billing me twice but could not find the origin of the
duplicate charge.

Finally it dawned on me - my bank had sent me a new card a long while back
because of a suspected compromise. I’d had that card for a long time, and had
the number memorized. I gave the old card number to them and bam - they found
the source of the fraudulent transactions.

This means that even though my card number was compromised and cancelled, it
can still be used for payment at any merchant for which I’ve had an ongoing
subscription. Since these are merchants I do business with, it makes it doubly
hard to notice the fraudulent charges as seeing “Spotify” or “Netflix” or
whatever does not raise my eyebrow. Only in a careful month by month review
did I pick up on the fraudulent transactions.

As a side note Spotify was very quick to reverse the duplicates and appear to
have blocked that old card number from being used in their system again.
Although a frustrating experience overall, they were very good to work with.

~~~
dhimes
This happened to me in a different way: I was giving recurring payments to a
.org. I kind of knew how much I wanted to give, but instead of a lump sum I
figured I would do recurring for a year. It would give them a little more and
seemed to make the guy at my door happy.

Now with this organization, you can donate via the website but to cancel a
recurring donation requires a phone call. I called a couple of times to try to
cancel but didn't reach anybody. I admit- I wasn't _too_ concerned (a good
organization overall), but I was a little pissed nevertheless.

My credit card was skimmed, and I had it cut off. I figured this would solve
my problem with the donations as well. Nope.

About two years later my wife (who actually handles the bills in the family)
asked me if I wanted to continue those payments. I was pretty shocked- and
persisted with the phone calls until I reached somebody to cancel.

Surprise!

I consider the "signing up can be done on the web, but canceling requires a
human" to be a dark pattern.

~~~
wlesieutre
_> I consider the "signing up can be done on the web, but canceling requires a
human" to be a dark pattern._

And illegal in California as of last year. Hopefully them forcing companies to
allow online cancellations will mean it's available for the rest of us too.

[https://www.cnet.com/news/companies-must-let-customers-
cance...](https://www.cnet.com/news/companies-must-let-customers-cancel-
subscriptions-online-california-law-says/)

~~~
tialaramex
Yes, this is the correct fix (well, not the part where everybody else has to
rely on California but the rule that if you can sign up by method X you can
cancel that way too)

My ex-employer was surprised that when they were obliged by law to stop
routing everybody though a retention call center customer satisfaction
improved. Too much of their own Kool Aid had been drunk, they'd persuaded
themselves that customers wanted to be reminded of the benefits and offered
other deals by a human so much that they'd hate even having the option to just
press "Cancel" on the web site and leave that way.

It's an old Joel Spoelsky lesson, if you make leaving a pleasant experience
that customer may come back some day. If not you're never going to see them
again.

------
defterGoose
This very program by visa allowed LA Fitness to steal several hundred dollars
from me after I thought I had unsubscribed (they are also known for being
unscrupulous about customer subscriptions). I thought I had cancelled my
account, and was unworried about them continuing to charge me because I had
recently gotten a new card number anyway. Well, unfortunately WF/Visa had
given them my updated card info without my knowledge at a time when I didn't
check my statements for several months (I audit charges MUCH more regularly
now). They had kept my account active because I hadn't realized how convoluted
their "unsub" process was and hadn't jumped through all of their over-the-
phone hoops. Long story short I was out several hundred dollars over the
course of almost a year, and the CC people were unwilling to help because the
charges went undisputed for many months. A very angry visit back to the LA
Fitness location was the only thing that remedied the continuing subscription,
but I never got my money back. Caveat Emptor.

~~~
jrobn
I worked for a small local company that stored credit card details in plain
text. Including CVV. I brought it to there attention and the owner just hand
waived me off. “The working system was working”.

This is why cards like The Apple Card, which allows you to generate cards on
the fly, is better for consumers. Just generate a card for LA Fitness and
delete it when you close your account. This would eliminate a big chunk of
fraud (including the shady shit LA fitness does) when your card details are
sitting in many databases (some of which are not encrypted in anyway).

I’m not saying Apple card is great, just that feature of it.

~~~
Zenst
That's a great feature and one I was looking for two decades ago - glad that
somebody is finally using technology to empower users in this way and it
should be the norm for all online card usage. I just lament that it has taken
a 3rd party card offing to accommodate this and it is not being driven by the
main card players (Visa, Mastercard).

~~~
mwexler
Many banks (Citi, for example, has it at
[https://www.cardbenefits.citi.com/Products/Virtual-
Account-N...](https://www.cardbenefits.citi.com/Products/Virtual-Account-
Numbers)) have offered this for almost a decade. Visa and MC both support it
at the network level globally, and are in fact the reasons that virtual
account numbers work.

Consumers have routinely ignored this feature. Like so many security things,
it's just not sexy enough for them to care and take on the hassle of older
clunky solutions. The rise of digital payments and the movement away from a
plastic card is making this much easier on people, by embedding the
virtualization in the flow automatically instead of making users take steps to
generate and manage.

But those who cared could always do this. It's just that so few cared.

~~~
howard941
Too few creditors offer the feature even though the networks support it. PNC
wouldn't, their customer service lady looked at me like I had three heads when
I asked her if they supported it. Amex's blue card used to and may still
support one shot numbers that were very easy to generate online. Capital One's
"Eno" browser plugin generates merchant-specific card numbers but the plugin
makes it difficult to generate numbers to use off-web although the backend
validates the merchant name and rejects charges that don't match the expected
merchant as I discovered with a Dell-bound number on the Dell factory
clearance site.

~~~
dontbenebby
Capital One once denied me the ability to pay for a hotel room in Canada,
after I had explicitly contacted them in advance with my travel plans, had
booked the plane tickets on the same card, and paid some small items in the
airport back home and upon arrival. Given how many transactions they process
it should have been abundantly clear I was using my card in a normal manner.

I would never trust them to handle anything more complex like virtual card
numbers.

------
obeattie
This isn't new and has existed for nearly 20 years. Visa's implementation is
called VAU (Visa Account Updater[1]) and Mastercard's is ABU (Automatic
Billing Updater[2]).

Issuers (banks) have to provide the details of these new cards to
Visa/Mastercard, and the systems are certainly capable of updating the details
of debit cards. It sounds like TD had a bug where they sent updates for cards
which they shouldn't have. ie: TD broke their own rule about only enrolling
credit cards.

Card details which do not automatically update are really frustrating for
customers – especially on services like Uber. In nearly all cases the customer
is going to go and give the merchant their new card details anyway. My
understanding is that if card is compromised (as opposed to being lost) then
banks should not provide the new details. There isn't really much _additional_
privacy or security risk here beyond those posed by merchants/acquirers
holding onto card details already – provided banks do it right.

Though zooming out a little, long-lived payment tokens shared among every
merchant a user shops with being the way things are still done is crazy. How
long it has took to roll out EMV (chip cards), especially in the US, shows how
hard it is to effect change in vast, three+ sided marketplaces like card
networks.

[1]
[https://developer.visa.com/capabilities/vau](https://developer.visa.com/capabilities/vau)

[2] [https://developer.mastercard.com/product/automatic-
billing-u...](https://developer.mastercard.com/product/automatic-billing-
updater)

Disclosure: I work for a bank.

~~~
Canada
I prefer to be able to choose whether my card details are updated. By default
I do not want updates. I will definitely give Uber my new card, but I like how
card expiration kills subscriptions I don't care about without me having to do
anything.

~~~
scarface74
That’s just like people who are going to be “smart” and use a card with a low
credit limit to attach to their hobby AWS accounts.

Just because the charge was declined when you were billed doesn’t mean you
don’t owe the money.

~~~
robotastronaut
A subscription is a bit different as you pay in advance. If the charge fails,
you generally lose access to the subscribed service. That's not the same as
using an AWS resource, being invoiced for that use, then not paying it.

~~~
scarface74
That’s fair and in most cases, you can just update your card information and
nothing is lost. But what if it is for a renewal of something like a domain
name or backup service where you would lose data if you don’t renew?

------
sbr464
I’m personally on the side of opt-in/choice, maybe due to the traditional
nature of controlling your credit card.

Although, I’d love to see a show of hands from anyone IT related that hasn’t
witnessed an outage caused by an expired card/billing account issue. Oh the
SSL certs, exchange servers, SaaS apps, domains, etc I’ve seen go up in flames
temporarily because of billing issues over the years.

------
Causality1
This has been happening in the US for a long while. Several years ago I had
significant trouble terminating an Xbox Live Gold account. Exasperated, I
canceled my card and got a new one. The next two months the charge was still
on my bill. I eventually discovered the problem related to two separate
accounts linked to my email address with and without a period in it, with
Google considering the addresses identical and Microsoft considering them
different.

~~~
jetrink
In the United States, you can also work directly with your credit card company
(or bank, in the case of a debit card) to stop a recurring charge. This is
possible due to the Fair Credit Billing Act [1]. You might also be refunded
for recent charges, if you have evidence that you contacted the vendor and
attempted to terminate the service and were billed anyway.

1\.
[https://en.wikipedia.org/wiki/Fair_Credit_Billing_Act](https://en.wikipedia.org/wiki/Fair_Credit_Billing_Act)

~~~
jrobn
so I have to record my phone conversation with the vendor I want to cancel
just Incase I need to go to my bank and have them terminate? This is
ridiculous and why consumer protection laws should be a thing.

~~~
FireBeyond
Right!

You are the bank's customer. They don't need to protect the ability of vendors
to bill you. I've had this argument before. "If canceling this
subscription/ability to bill causes a dispute or debt or contract issue with
the vendor, that's on me. I don't need you being 'helpful', or worse,
_refusing_ to remove unauthorized transactions."

------
purple-again
This is clearly a valuable service that just makes sense. To me the only
viable argument here is the age old Opt In versus Opt Out argument that the
United States and Europe can never agree on.

To me this makes perfect sense to be Opt Out. I would hazard a guess that 90%
or more of consumers absolutely want their merchants to all keep going as
expected when they for example lose their credit card on a trip and call to
get a new one sent to them.

Keep in mind that the average consumer (at least in my observation) saves ALL
of their credit card information for easier purchases in the future, a
practice that probably has a much smaller overlap with the traditional HN
crowd.

------
dade_
Read the article, the credit card company didn't provide PayPal the info. As
the story unfolded, we find out that the update was done through PayPal
shenanigans that they refuse to explain:

"After initially telling Go Public it got Acuña's information from the
"account update services," PayPal backtracked a few days later, saying the
account updater service "doesn't apply" in Acuña's case.

So, how did PayPal get her new expiry date? It won't say, citing customer
confidentiality — even though Acuña agreed to waive confidentiality to allow
the company to answer Go Public's questions."

------
leejo
As other comments have pointed out - the facility to update the details of an
expired or cancelled card has been available to merchants / payment providers
for years if not decades. I do recall that the type of transactions had to be
specifically marked as so at the initial authorisation stage ("Continuous
Authority" IIRC) and that would allow the initial auth code to effectively be
reused. Visa and Mastercard would then provide a service that allowed you to
update card details for those that required it (I can't remember if it was
push or pull though).

I do also recall there was a problem when 3D Secure / Verified by Visa was
involved - IIRC while the Continuous Authority transaction type allowed an
indefinite length of reuse, 3D Secure / VByV only allowed up to 90 days (may
have changed or may be a detail of the spec I'm forgetting).

The point is, don't assume cancelling your card will result in cancelling of
any recurring debits or allow you to get out of a contract. You have to cancel
them with the merchant to make sure they don't continue to charge your new
card.

------
pcr0
Even without an updater service, obtaining the new expiry date isn't too
difficult, as alluded by this HN comment from 2011:
[https://news.ycombinator.com/item?id=2502530](https://news.ycombinator.com/item?id=2502530)

~~~
laurencei
I renewed two credit cards recently, and both included a new CVC number in
addition to the expiry date.

~~~
obeattie
CVCs cannot be used for recurring payments (beyond setting the subscription
up) and merchants/acquirers are forbidden from storing them at all.

------
sofaofthedamned
It's been around for a few years
[https://developer.visa.com/capabilities/vau](https://developer.visa.com/capabilities/vau)

------
leowoo91
I wish I had this with my web clients in past, I had to recover their micro
sites many times because they had forgotten providing new payment information
to the provider.

------
mercwear
This is a well known feature in the SaaS billing world - most large gateways
and billing systems (think Stripe, Recurly, Zorua, etc...) have supported this
for years. In a recurring revenue model MOST clients are paying via credit
card and even when you are a small company, credit cards expiring creates a
significant challenge. The auto updating of cards at the gateway / payment
processor level help mitigate the impact.

------
smarri
Do we still need the credit card schemes for payments? Could move to a world
of bank account to bank account payments, stripping out the payment layers?

~~~
ubermonkey
We certainly COULD but I wouldn't.

By having Amex between me and a whole host of recurring-billing vendors, I
have a kind of firewall. Amex is on my side reflexively if there's some kind
of disagreement or dispute, and will reverse the charge.

If it were my debit card in play, or bank-to-bank transfer, the money would
actually be GONE until I was able to convince the merchant, or the merchant's
bank, to give it back.

~~~
Silhouette
_By having Amex between me and a whole host of recurring-billing vendors, I
have a kind of firewall. Amex is on my side reflexively if there 's some kind
of disagreement or dispute, and will reverse the charge._

But this is a double-edged sword. There is always a cost to this kind of
scheme, and one way or another it is always going to be passed on to the
customer. There is also an inherent risk in this kind of scheme, in that some
quasi-judicial process is making decisions about who gets to keep the money in
the event of a dispute, and if it goes the wrong way in one party's view then
the result is either losing out on money they think belongs to them or taking
more expensive action to recover it, possibly via the courts.

Ultimately I think everyone has to learn to be more responsible about these
transactions. Of course it shouldn't be possible for a merchant to take money
from a customer without authorisation, but equally it shouldn't be possible
for a customer to arbitrarily reverse a payment several months later even if
the merchant has done nothing wrong, or to cancel the payment authorisation as
some sort of informal proxy for cancelling a legal contract with a merchant.

Aside from the excessive time periods for challenging payments
retrospectively, I think the direct debit schemes tend to be better at this
sort of thing than the card schemes. Typically, you have a specific payment
authorisation (which can be cancelled from the customer's side) and you also
have a requirement to give advance notice of recurring payments so there is
time for the customer to act if they don't agree with them for any reason.

~~~
ubermonkey
I'm really not sure what you're saying here, which is surprising because you
said so much of it.

>But this is a double-edged sword.

No, it's really not.

Yes, I pay Amex an annual fee for the level of card I carry. I've done the
math, and I get a good value back for this fee -- especially given the level
of customer service AX provides. Paying for a service does not make this a
double-edged sword; there's no downside for me here.

>There is also an inherent risk in this kind of scheme, in that some quasi-
judicial process is making decisions about who gets to keep the money in the
event of a dispute, and if it goes the wrong way in one party's view then the
result is either losing out on money they think belongs to them or taking more
expensive action to recover it, possibly via the courts.

This is true in literally any transaction, at some level. I mean, even in a
cash-on-the-barrelhead scenario there's the possibility of bad faith or
swindles, so I have no idea what your point is.

>Ultimately I think everyone has to learn to be more responsible about these
transactions.

This is one of those things that sounds true and wise, but is actually just
noise.

>Of course it shouldn't be possible for a merchant to take money from a
customer without authorisation,

It will perhaps surprise you that it ISN'T, and that the disputes in
discussion are generally over overbilling or billing after permission has been
revoked.

>but equally it shouldn't be possible for a customer to arbitrarily reverse a
payment several months later even if the merchant has done nothing wrong, or
to cancel the payment authorisation as some sort of informal proxy for
cancelling a legal contract with a merchant.

Truly, the merchants are fortunate to have such a wise defender in Silhouette!

>I think the direct debit schemes tend to be better at this sort of thing than
the card schemes.

You have not even APPROACHED explaining why you think this, or why anyone
should agree with you.

As long as there are automated billing systems, there will be errors.

In the scenario I outline, Amex functions as an intermediary, so a screwup
doesn't literally take money from my account. This is objectively preferable
to your scenario, where that's precisely what would happen.

------
delinka
I had a similar problem with a website that sells t-shirts. I signed up for a
particular t-shirt campaign, providing my credit card number. The campaign
didn't get enough joiners, so was cancelled. A few months later, I have to get
a new number because of fraud elsewhere.

Fast-forward a year after that t-shirt campaign and now I'm seeing a charge
for the shirt. Um ... no? I call the bank and they immediately reverse the
charge. But oddly (I thought at the moment) the agent on the phone mentions
how they'll let previously used merchants continue to charge on the old
number.

I contacted support for the t-shirt folks, and they acknowledged that they'd
re-initiated the campaign, found they had enough takers, charged folks,
printed shirts and were sending them out. I asked about email notification.
Oh, yes, of _course_ they sent email notifications. The date on the email I
finally received (four days later) was dated two days after the charge
appeared.

I still received a t-shirt and the charge didn't reappear.

------
ambicapter
This happened to me with an oil company. The refilled my tank when it was 3/4
full and charged me a couple hundred for the privilege and acted like they
were doing me a favor. I had just gotten a new card and they complained that
they weren't able to charge me. Two weeks later they charged me anyways.

------
sizzle
I highly recommend virtual card numbers through capital one's chrome extension
called Eno: [https://chrome.google.com/webstore/detail/eno®-from-
capital-...](https://chrome.google.com/webstore/detail/eno®-from-capital-
one®/clmkdohmabikagpnhjmgacbclihgmdje)

They really nailed the UX of generating and managing virtual CC numbers per
use case.

------
edwhitesell
For years AmEx has allowed recurring charges to continue after a number or
expiration date change. But I'm pretty sure they don't share new information
with the merchant as part of that.

It's nice after a stolen card number to know recurring charges will continue
automatically.

------
benbristow
I believe Monzo (Fintech bank) are starting to implement this. Sounds useful
really.

[https://community.monzo.com/t/monzo-labs-share-card-
replacem...](https://community.monzo.com/t/monzo-labs-share-card-
replacements/55935)

------
slvrspoon
Not masked cards:
[https://dnt.abine.com/#premiumreg/](https://dnt.abine.com/#premiumreg/)?

------
unethical_ban
I reported a card lost and got a new number to avoid SiriusXM. They're still
billing!

There should be a way to lock a card completely, in a way that prevents
ongoing charges.

------
mruts
This has happened to me for many online purchases: Steam games, Amazon, GOG,
etc. kind of useful, but also little confusing and a sketchy.

------
lebed2045
it's so annoying. Is there any card which can give me something like
notification on the mobile app before subscription will occur? Maybe like ones
per day with all tx will go to happen and I manually can cancel undesirable
part of them. Sort of 2FA for all transaction, where the second authenticator
is the mobile app. that's would be ideal for me.

------
dplgk
Why do credit cards have expiration dates?

~~~
crankylinuxuser
I'm assuming for the same reason passwords have an expiration.

Bad security theater and lack of understanding of computer security. I'm sure
there's a PCI reason in there as well.

------
duxup
I kind of like that when my card dies, in theory, so do any charges / card
data that someone might have ...

------
manjana
This happened to me as well, just a month ago. Also a Visa Debit user; I'm
based in Europe however.

------
amaterasu
Related question - Are there any services offering virtual credit cards in
Australia presently?

------
bennyp101
In their FAQs: "Visa and Mastercard expiry dates will automatically update in
your PayPal account using the Visa and Mastercard update feature offered to
all card holders."

[https://www.paypal.com/uk/smarthelp/article/how-do-i-
change-...](https://www.paypal.com/uk/smarthelp/article/how-do-i-change-the-
expiry-date-of-my-debit-or-credit-card-faq408)

and their T&c's say: "3.1 Linking your Funding Source. You can link or unlink
a debit card, a credit card, a pre-paid card (in certain cases), a bank
account and/or PayPal Credit as a Funding Source for your Account. Please keep
your Funding Source information current (i.e. credit card number and
expiration date). If this information changes, we may update it at our sole
discretion without any action on your part, according to information provided
by your bank or card issuer and third parties (including but not limited to
our financial services partners and the card networks). If you do not want us
to update your Funding Source information, you may contact your bank or card
issuer to request this or remove the Funding Source in your Account Profile.
If we update your Funding Source information, we may retain any preference
setting attached to it.

You may choose to confirm your card or bank account, so that we can verify
that the card or bank account is valid and that you are its owner. We may
allow you to do this by following the Link and Confirm Card process (for
cards) or the Bank Confirmation process (for bank accounts) or other processes
which we may notify to you or which we may publish from time to time."

[https://www.paypal.com/uk/webapps/mpp/ua/useragreement-
full](https://www.paypal.com/uk/webapps/mpp/ua/useragreement-full)

Intersetingly, it says "If you do not want us to update your Funding Source
information, you may contact your bank or card issuer to request this" so I
assume you can ask the bank to not share updated details with anyone.

Seems there is also an API that banks could use to let customers know which
retailers received the updated details - that would be nice, would also help
to see wwhat services that are no longer used still have card details on file.

[https://developer.visa.com/use-cases/identify-merchants-
rece...](https://developer.visa.com/use-cases/identify-merchants-receiving-
automatic-card-updates)

I wonder if this is something that Stripe et all would ever implement on their
side, so that it could be an opt-out per service - ie they just ignore the
update for a particular card and service implementation?

------
Halluxfboy009
Has anyone considered that your information is uniquely yours and it has value
so unless you have given permission for it to be used the people paying for it
and/or selling it owe you a royalty ?

~~~
TallGuyShort
Hacker News has a disproportionate number of those people. Many other people
have never considered it. Many other people have considered it and chosen
convenience over consent.

