
Amazon Knows Your New Bank Card Number Before You Do - jeremyleach
https://www.theguardian.com/money/2017/jan/12/how-amazon-know-new-visa-card-information-before-me-natwest
======
ChemicalWarfare
As others pointed out this is a rather standard flow handled by the account
updater service[s]. What I would add is most of the time the merchant doesn't
store your payment instrument data other than last 4 digits and an expiration
date just so the card in your "digital wallet" can be identified in the UI -
"Your Visa ending in ...1234" type deal.

Instead, they store a token provided to them by the payment processor which
represents the card. That token stays the same even if your account info gets
updated. So the only thing the merchant updates is the "metadata" of the
payment instrument for end user's convenience. The actual heavy lifting
associated with the update is handled on the payment processor side.

That said - from what I understand Amazon is a bit of an exception here and
they actually store the full blown card info (other than CVV which is
"illegal" to store) so they have to deal with the implications of account
updates themselves.

~~~
phire
If you read the article carefully, there is no indication that Amazon actually
gave her (or even had) the full credit card number.

 _" it turned out the last four digits and the expiry date matched the card on
my Amazon account."_

I checked, and Amazon does indeed only show you the last 4 digits and expiry
date.

~~~
ChemicalWarfare
>> If you read the article carefully, there is no indication that Amazon
actually gave her (or even had) the full credit card number.

And if you read my post carefully I'm not saying that they did :)

------
Artemis2
Most acquirers support Account Updater. Here are some documents with more
information for the major card brands:

Visa: [https://usa.visa.com/dam/VCOM/download/merchants/visa-
accoun...](https://usa.visa.com/dam/VCOM/download/merchants/visa-account-
updater-product-information-fact-sheet-for-merchants.pdf)

Mastercard:
[http://www.mastercard.com/ca/wce/PDF/ABU_Fact_Sheet_2011_EN....](http://www.mastercard.com/ca/wce/PDF/ABU_Fact_Sheet_2011_EN.pdf)

Amex: [https://icm.aexp-
static.com/Internet/NGMS/US_en/Images/Cardr...](https://icm.aexp-
static.com/Internet/NGMS/US_en/Images/Cardrefresher_Product_Overview.pdf)

To my knowledge, you can't opt out as a consumer.

~~~
tzs
There seems to be at least two levels of service with the updater services.
I've only dealt with them from small merchants, and the available interface
was a batch query/response interface.

We'd submit a file containing a batchof account numbers we wanted information
on. This submission is by posting to a URL.

We could then poll a URL for status on that batch. When processing was
complete the status changes, and an email would also sent to us. This could
take two or three days.

We could then retrieve the results from a URL. They might be partial results,
in which case we could keep polling that status to find out if more results
were available. Some cards would never get a response.

Apple seems to have a fancier level of service from the card associations that
gives access to some kind of push interface.

My bank sent me an offer to upgrade my card. This was the card that I use with
Apple Pay. I accepted via online banking. Less than a minute later my phone
beeped. It was a notification from Apple Pay that the new card had replaced
the old card on my Apple Pay.

~~~
Artemis2
Yes, Apple Pay is different – Apple partners directly with banks (and charges
a nice percentage along the way). Your device communicates directly with your
bank for Apple Pay, which enables this kind of feature. I don't know whether
it is push or pull though.

This is a great document for understanding how Apple Pay (and Android Pay)
works at a low level:
[https://www.emvco.com/specifications.aspx?id=263](https://www.emvco.com/specifications.aspx?id=263)

------
dbg31415
This is very common among almost all major eCommerce companies. Clickbait
title, but the gist of this is to say, "Hey, we know you lose your card from
time to time... and cards eventually expire (sometimes because of a security
breach or other issue that you, the end-user, had nothing to do with). Rather
than make you waste time going back through and updating every instance where
you opted for the vendor / service provider to save your info, and risk you
getting late fees or your electricity being turned off, let's just be smart
and push updates to trusted stores that you have already opted to give your
card to."

Nothing sinister going on here at all.

~~~
terminado
Sometimes I cancel a card, to revoke access to accounts I lost the password
to.

When I cancel a card, that doesn't mean that certain people should predict
their own capacity to use a new card.

Glad to know that the destruction and replacement of a card might not work. I
will now reconsider my tactics for revocation.

Clearly, I need to destroy, uproot the account, migrate elsewhere across
provider boundaries, and deny further awareness of cards that might possess
the property of re-use.

Certain companies must only be aware of disposable numbers, since they seem to
be frisky about what I'd elect for them to know.

~~~
pfranz
Bank of America years ago had disposable credit card numbers. I found them
awkward to generate (I think it was a Java applet?) and I couldn't use the
criteria I preferred. They might have changed that.

Final [https://getfinal.com/](https://getfinal.com/) is a startup that looks
to be built around this concept.

~~~
crisopolis
Final is a _credit card_ (requires approval by a third party bank and etc.)
that tries to be a virtual card generator.

If you want disposable cards [https://privacy.com](https://privacy.com) would
be better suited.

------
blockloop
As others have said, it is very common in ecommerce. There are strict rules
around the updates. Your bank knows why the new card was added. If the reason
was simple (i.e. renewing because of expiration) then they share the new card
with Account Updater. However, if your card was lost or stolen Account Updater
will notify the subscribers but will not share the new card number. This
prevents chargebacks and other common billing problems.

------
laurencei
I think Stripe supports this:

[https://stripe.com/blog/smarter-saved-cards](https://stripe.com/blog/smarter-
saved-cards)

------
electric_sheep
Good timing on this post! I just got a new card and was baffled by how Netflix
was able to update my account details before I was. Maybe I should be creeped
out? But damn if it isn't convenient. (Who else finds themselves uttering this
phrase with increasing regularity these days?)

~~~
tracker1
No kidding... Having to update a list of a dozen or more accounts to a
different payment method when switching banks is hard. Doing that when your
card expires, you will often miss one or two.

------
org3432
Comcast was doing this with my account, however after they upgraded their
backend late last year they reverted back to the old card number and silently
failed to bill my card. So good to be aware that it's not completely seamless.

------
_Codemonkeyism
Never have done that, but some people think letting CCs expire on accounts to
get out of contracts is the way to go.

With this it seems this isn't a viable route (anymore?).

~~~
chimeracoder
> some people think letting CCs expire on accounts to get out of contracts is
> the way to go.

That's a terrible strategy. It doesn't free you of any actual liabilities if
you're under a contract.

It's like saying that refusing to send a check to pay your electricity or
post-paid phone bill is a way to "get out of a contract". The company will
just send you to collections (most likely) or sue (if your debt is large
enough).

~~~
kahnpro
Because some companies make it very difficult to cancel out of a contract,
like sitting for hours on the phone to speak to a retention specialist who
accidentally hangs up the phone.

A lot easier to just stop the payments and stop using the service. 99.99% of
companies are not going to sue you over a few hundred dollars for a service
you're not even using.

~~~
rlpb
> Because some companies make it very difficult to cancel out of a contract,
> like sitting for hours on the phone to speak to a retention specialist who
> accidentally hangs up the phone.

Can you not just give them notice in writing, say by registered post? Or do
these contract limit termination so that it must be done over the phone and
the contract isn't terminated until the company says it is? And if so, is that
even legal?

~~~
greenleafjacob
You are looking for anticipatory repudiation [1]. The Uniform Commercial Code
in the U.S. regulates this and says the seller can collect damages as you'd
expect. I think if a company tried to say "you can only cancel this contract
if you personally serve it to our CEO who by the way is on vacation in the
Caribbean so you'll have to fly down there" \- that is, making it difficult to
notify the seller of repudiation, then the court would probably find that
unconscionable. I think as to what forms of notice are appropriate, it's
probably instructive to look at related things like due process requirements
for notice [2]. As I think about it, the mail system is probably the most
standard system for entities (corporations, people, state governments, etc.)
to notify each other about things, so just intuitively I would find it hard to
believe that a company could get away with refusing a mailed repudiation of
contract. I don't think for example you could send your repudiation through
Twitter and expect it to be legally binding however. The important part is you
put the other party on notice that you have repudiated the contract, and the
due process example is interesting because satisfying due process doesn't
require "actual notice" [3].

[1]
[https://en.wikipedia.org/wiki/Anticipatory_repudiation](https://en.wikipedia.org/wiki/Anticipatory_repudiation)

[2]
[https://en.wikipedia.org/wiki/Jones_v._Flowers](https://en.wikipedia.org/wiki/Jones_v._Flowers)

[3]
[https://en.wikipedia.org/wiki/Actual_notice](https://en.wikipedia.org/wiki/Actual_notice)

~~~
rlpb
> You are looking for anticipatory repudiation.

I don't think so. I'm looking for straightforward contract termination, and
the providing of notice for contract termination, where the contract already
explicitly permits termination. I don't think failing to perform on a contract
needs to come in to it.

I assume that contracts for services such as electricity and cable already
have such termination clauses, so it just a matter of how notice of
termination is served.

------
StreamBright
I wish we lived in an era when I did not need to know my credit card details.

------
sugavaneshb
Apple payment (iTunes) supports this as well.

