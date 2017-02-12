Hacker News new | comments | show | ask | jobs | submit login
Amazon Knows Your New Bank Card Number Before You Do (theguardian.com)
83 points by jeremyleach on Feb 12, 2017 | hide | past | web | favorite | 26 comments



As others pointed out this is a rather standard flow handled by the account updater service[s]. What I would add is most of the time the merchant doesn't store your payment instrument data other than last 4 digits and an expiration date just so the card in your "digital wallet" can be identified in the UI - "Your Visa ending in ...1234" type deal.

Instead, they store a token provided to them by the payment processor which represents the card. That token stays the same even if your account info gets updated. So the only thing the merchant updates is the "metadata" of the payment instrument for end user's convenience. The actual heavy lifting associated with the update is handled on the payment processor side.

That said - from what I understand Amazon is a bit of an exception here and they actually store the full blown card info (other than CVV which is "illegal" to store) so they have to deal with the implications of account updates themselves.


You nailed it.

I work for a payment gateway and I've written several Account Updater integrations.


If you read the article carefully, there is no indication that Amazon actually gave her (or even had) the full credit card number.

"it turned out the last four digits and the expiry date matched the card on my Amazon account."

I checked, and Amazon does indeed only show you the last 4 digits and expiry date.


>> If you read the article carefully, there is no indication that Amazon actually gave her (or even had) the full credit card number.

And if you read my post carefully I'm not saying that they did :)


Most acquirers support Account Updater. Here are some documents with more information for the major card brands:

Visa: https://usa.visa.com/dam/VCOM/download/merchants/visa-accoun...

Mastercard: http://www.mastercard.com/ca/wce/PDF/ABU_Fact_Sheet_2011_EN....

Amex: https://icm.aexp-static.com/Internet/NGMS/US_en/Images/Cardr...

To my knowledge, you can't opt out as a consumer.


There seems to be at least two levels of service with the updater services. I've only dealt with them from small merchants, and the available interface was a batch query/response interface.

We'd submit a file containing a batchof account numbers we wanted information on. This submission is by posting to a URL.

We could then poll a URL for status on that batch. When processing was complete the status changes, and an email would also sent to us. This could take two or three days.

We could then retrieve the results from a URL. They might be partial results, in which case we could keep polling that status to find out if more results were available. Some cards would never get a response.

Apple seems to have a fancier level of service from the card associations that gives access to some kind of push interface.

My bank sent me an offer to upgrade my card. This was the card that I use with Apple Pay. I accepted via online banking. Less than a minute later my phone beeped. It was a notification from Apple Pay that the new card had replaced the old card on my Apple Pay.


Yes, Apple Pay is different – Apple partners directly with banks (and charges a nice percentage along the way). Your device communicates directly with your bank for Apple Pay, which enables this kind of feature. I don't know whether it is push or pull though.

This is a great document for understanding how Apple Pay (and Android Pay) works at a low level: https://www.emvco.com/specifications.aspx?id=263


This is very common among almost all major eCommerce companies. Clickbait title, but the gist of this is to say, "Hey, we know you lose your card from time to time... and cards eventually expire (sometimes because of a security breach or other issue that you, the end-user, had nothing to do with). Rather than make you waste time going back through and updating every instance where you opted for the vendor / service provider to save your info, and risk you getting late fees or your electricity being turned off, let's just be smart and push updates to trusted stores that you have already opted to give your card to."

Nothing sinister going on here at all.


Sometimes I cancel a card, to revoke access to accounts I lost the password to.

When I cancel a card, that doesn't mean that certain people should predict their own capacity to use a new card.

Glad to know that the destruction and replacement of a card might not work. I will now reconsider my tactics for revocation.

Clearly, I need to destroy, uproot the account, migrate elsewhere across provider boundaries, and deny further awareness of cards that might possess the property of re-use.

Certain companies must only be aware of disposable numbers, since they seem to be frisky about what I'd elect for them to know.


Better workflow would be to cancel the account by contacting customer support.

Some cards offer one-time-use numbers, those work great for one-time transactions but a vendor won't be keen on accepting them for recurring payments as you would have to re-enter a card number every billing cycle.

Typically disposable numbers are easy to identify (for the vendor at any rate), much the same way a Visa or MasterCard are different from each other.

You can see a few parterns here:

https://www.paypalobjects.com/en_US/vhelp/paypalmanager_help...


Bank of America years ago had disposable credit card numbers. I found them awkward to generate (I think it was a Java applet?) and I couldn't use the criteria I preferred. They might have changed that.

Final https://getfinal.com/ is a startup that looks to be built around this concept.


Final is a credit card (requires approval by a third party bank and etc.) that tries to be a virtual card generator.

If you want disposable cards https://privacy.com would be better suited.


As others have said, it is very common in ecommerce. There are strict rules around the updates. Your bank knows why the new card was added. If the reason was simple (i.e. renewing because of expiration) then they share the new card with Account Updater. However, if your card was lost or stolen Account Updater will notify the subscribers but will not share the new card number. This prevents chargebacks and other common billing problems.


I think Stripe supports this:

https://stripe.com/blog/smarter-saved-cards


Good timing on this post! I just got a new card and was baffled by how Netflix was able to update my account details before I was. Maybe I should be creeped out? But damn if it isn't convenient. (Who else finds themselves uttering this phrase with increasing regularity these days?)


No kidding... Having to update a list of a dozen or more accounts to a different payment method when switching banks is hard. Doing that when your card expires, you will often miss one or two.


Comcast was doing this with my account, however after they upgraded their backend late last year they reverted back to the old card number and silently failed to bill my card. So good to be aware that it's not completely seamless.


Never have done that, but some people think letting CCs expire on accounts to get out of contracts is the way to go.

With this it seems this isn't a viable route (anymore?).


> some people think letting CCs expire on accounts to get out of contracts is the way to go.

That's a terrible strategy. It doesn't free you of any actual liabilities if you're under a contract.

It's like saying that refusing to send a check to pay your electricity or post-paid phone bill is a way to "get out of a contract". The company will just send you to collections (most likely) or sue (if your debt is large enough).


Because some companies make it very difficult to cancel out of a contract, like sitting for hours on the phone to speak to a retention specialist who accidentally hangs up the phone.

A lot easier to just stop the payments and stop using the service. 99.99% of companies are not going to sue you over a few hundred dollars for a service you're not even using.


> Because some companies make it very difficult to cancel out of a contract, like sitting for hours on the phone to speak to a retention specialist who accidentally hangs up the phone.

Can you not just give them notice in writing, say by registered post? Or do these contract limit termination so that it must be done over the phone and the contract isn't terminated until the company says it is? And if so, is that even legal?


You are looking for anticipatory repudiation [1]. The Uniform Commercial Code in the U.S. regulates this and says the seller can collect damages as you'd expect. I think if a company tried to say "you can only cancel this contract if you personally serve it to our CEO who by the way is on vacation in the Caribbean so you'll have to fly down there" - that is, making it difficult to notify the seller of repudiation, then the court would probably find that unconscionable. I think as to what forms of notice are appropriate, it's probably instructive to look at related things like due process requirements for notice [2]. As I think about it, the mail system is probably the most standard system for entities (corporations, people, state governments, etc.) to notify each other about things, so just intuitively I would find it hard to believe that a company could get away with refusing a mailed repudiation of contract. I don't think for example you could send your repudiation through Twitter and expect it to be legally binding however. The important part is you put the other party on notice that you have repudiated the contract, and the due process example is interesting because satisfying due process doesn't require "actual notice" [3].

[1] https://en.wikipedia.org/wiki/Anticipatory_repudiation

[2] https://en.wikipedia.org/wiki/Jones_v._Flowers

[3] https://en.wikipedia.org/wiki/Actual_notice


> You are looking for anticipatory repudiation.

I don't think so. I'm looking for straightforward contract termination, and the providing of notice for contract termination, where the contract already explicitly permits termination. I don't think failing to perform on a contract needs to come in to it.

I assume that contracts for services such as electricity and cable already have such termination clauses, so it just a matter of how notice of termination is served.


That was never a viable route. The vendor can entirely legitimately send you to collections for that.


I wish we lived in an era when I did not need to know my credit card details.


Apple payment (iTunes) supports this as well.




Applications are open for YC Summer 2018

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: