Hacker News new | past | comments | ask | show | jobs | submit login
Mastercard will stop free trials from automatically billing once they're over (mastercard.com)
716 points by hbcondo714 on Jan 17, 2019 | hide | past | favorite | 339 comments

Hurray! This is stupendous! I wish other CC brands follow the lead here in slaying this nefarious anti-pattern. There are so many services which require _you_ to actively go and cancel when all you wanted was to trial something, but they required you to commit a CC knowing there'd be a large percentage of people who forget to cancel.

Thank you MC for raising the bar for other CC brands.

A good example is SiriusXM. They give you a lowball initial offer, and the fine print says that at the end of the offer period the subscription will automatically renew at "then current" rates. To cancel you have to call their 800 number (which of course will put you on hold long enough to make you give up.)

MasterCard is making an awesome first step here. The next step is to insist that companies must let you cancel subscriptions online, just like this California law: https://www.cnet.com/news/companies-must-let-customers-cance...

I’ve started stopping charges from my card rather than dealing with that kind of “customer service” ever again. When the company finds they literally can’t charge you, suddenly they have the time to call you. If you’ve tried to cancel a service, stopped using it, and stop payment... well, the rest is their problem.

Please don't do this.

I get customers doing this for Twiddla every few months despite sending monthly receipt mails explaining how I'm happy to cancel their service and even refund as many months of it as they like if they're not happy for any reason.

But no. Some people would rather call their bank and accuse me of fraud than reply to a mail (or click a prominent link on their account page).

No amount of reaching out to ask them to cancel a chargeback has ever worked. It's baffling. Sure, it's a (way more complicated) way of cancelling your subscription. But it affects my ability to run my business.

So yeah. Don't do this until you at least try clicking the cancel button on the website.

If every other business has taught them that this is the only way to deal with things and that actually going through the "official" cancellation procedure is next to impossible (and an opportunity cost besides), I don't see how you can ask them to stop doing it.

It's apparently a strategy that works, and just because it's inconvenient for you doesn't make it their obligation to stop.

There's a just middle ground. If a service provides excellent unsubscribe flow and refund options, is it a good idea to reward them by accusing them of fraud?

Do it for the shitty services but at least do some basic homework first.

Agreed : as a customer, you'd have to at least tried to call or cancel before issuing a charge back.

The website should have a very accessible cancel option. Especially considering calling tends to entail reps trying to push you to keep the account, and not everyone is comfortable having to give a reason for cancellation.

The problem is they've been trained not to bother.

For years I had small subscriptions to various digital things; public radio, podcasts, etc. After being burned when trying to change my credit card on a prominent broadcaster and finding there was no obvious way to cancel, I switched to PayPal or nothing for ongoing payments. It's just not worth bothering managing each site's various levels of hostility for dealing with it. After PayPal had some gaffes, I stopped altogether. In the years since I've moved a few to Patreon, but fewer than previously.

> just because it's inconvenient for you doesn't make it their obligation to stop

Yeah, the thing is, having to cancel services tends to be inconvenient by nature. Usually when someone signs up for something it's because a) they're trying it out to see if it makes sense for them or b) they intend to be a paying customer.

It seems like MasterCard is addressing "a" here which is massively commendable. Companies don't need to auto-charge after a trial period ends, and it seems dishonest to do so. Services like Pandora will just take some functionality and inject advertisements after the trial payment ends or you miss your monthly payment.

Regarding "b", churn is a massive problem for businesses and if my company is doing something to alienate my customers, I would be trying to figure out how to reconcile the issue and retain them instead of trying to force payment on a single month of service and potentially drive them to file complaints against my business.

It sounds like Twiddla might be the exception to the rule and is commendable for that - I've never heard of a company offering to refund months of service fees, but most businesses aren't like that. And to a consumer, that unexpected $5 charge might include $35 of overdraft/NSF fees from their bank that they have to reconcile - to people on a budget, that might be a lot. And some companies will try to recharge the account again and again. I know from experience that DigitalOcean reattempts charges every 2 days for a missed payment without any reference to that in the TOS, even if you have emailed them agreeing to pay the full balance before their account suspension deadline and request that they stop the arbitrary recharge attempts, which can end up costing hundreds for a missed $10 payment.

And these sorts of practices don't generate any extra revenue for the service provider, but they may generate needless churn. It ends up turning into a massive headache for something that was totally avoidable - and it usually ends up hurting the people with the least money the most.

The current government shutdown is a perfect example of why we should be careful about our billing practices.

If every other business has taught them that this is the only way to deal with things and that actually going through the "official" cancellation procedure is next to impossible

It is highly unlikely that every other business has taught them that. Plenty of businesses provide reasonable means to cancel their service for anyone who wants to. Apparently several of us commenting in this very HN discussion run businesses on that basis, and so do lots of other people.

It's apparently a strategy that works, and just because it's inconvenient for you doesn't make it their obligation to stop.

Well, it's criminal fraud, so it is their obligation to stop.

In my experience, easy to cancel services are a relatively new invention. Netflix, Amazon, and lots of other online services are amazingly great about this.

Lots of traditional businesses have been horrible.

I'm not convinced about Amazon. It's very difficult to find out what things I'm even subscribed to. In most cases they refuse to send emails/invoices before/after any recurring charge (amazon music, any of the addon streaming channels, the cloud storage plans, etc.), and the charges on my credit card are indistinguishable from "normal" amazon charges.

Netflix does make it easy. Last time I canceled they didn't even ask why.

Well from the user's perspective, it does seem a lot like fraud. You sign up for a free trial of a service just to try it out, end up not really liking it so you forget about it. A few months later you see on your credit card statement that you've been being billed for something you never even authorized. Now technically it is not fraud since it says in the fine print that you'll be billed automatically at the end of the trial. But we all know people don't read the fine print.

For what it's worth the service we're talking about does not ask for a credit card during the trial. After your 30 days, you need to come back and add your card details to activate your subscription.

Thus the frustration of watching people who have done that come back a few months later and charging back all 3 months of service.

Then you're talking about a different thing. Your "fraud!" customers are people who have actively chosen to pay for your service, then actively chosen to claim fraud and get their money back.

Everyone else is talking about people who were forced to put a CC on a free trial and then were automatically charged for a service they either forgot to cancel or couldn't cancel through the channels. (Or decided not to bother with the channels since they're almost always a pain in the ass.)

It's a different situation entirely.

Sounds like they're trying to defraud you, not just cancel their service.

The irony is that I do in fact offer multi-month refunds for Twiddla subscribers who "forgot to cancel". All they have to do is ask.

I actually just processed one of these this morning, refunding 5 months worth of payments for a user. Just because they asked.

I feel your pain. We have a very similar policy at SuperSaaS (we don't ask for a credit card to trial and once they do commit to paying we make cancelling and getting a refund easy).

Still we get the occasional chargeback: we lose the €6/month our service costs and get dinged an additional €30 per chargeback by Braintree. So we lose half a year of customer value for each chargeback. I really wish they would make those chargeback fees more reasonable.

Is this something a competitor might do?

There are laws in some parts of the world, including throughout the EU for example, to protect people who are victims of subscriptions that weren't properly advertised up front. I doubt any of us here today would defend the kind of business that tried to hide that sort of commitment in the small print and then relied on making it unreasonably difficult to cancel.

However, that's a very different scenario to someone knowingly signing up for a service on reasonable and clearly advertised terms, failing to comply with those terms, and then blaming the service provider.

People see cancellation and asking for refunds as an awkward conversation. Calling a bank is easier, and Amex / other providers have buttons online to say "stop charges" or "dispute charges" - easier still, and they know where to find it.

(I just had one service I'd trialled & forgotten about ask me to arrange a ... VIDEO CHAT to cancel runs screaming)

But also - if that's what customers are doing, your cancellation button probably isn't as obvious or findable as you'd think (or people lose their passwords). And if you're a small SaaS shop, you probably don't have the time or energy to workshop the whole cancellation experience :)

idk, there's no right answer but "baffling" customer behaviour is always an opportunity to improve what you're offering.

Ugh, It's like Planet Fitness' retention strategies. They make you go into the gym that you signed up at, get a form, fill it out, then MAIL it to corporate.

When I tried to do that, they told me "Oh, we don't have any of the forms on hand, try again next week"

Fuuuuuuck that a whole bunch. They also make you do direct debit from your bank to sign up rather then put it on a ccard, to make it more difficult to just stop paying them. I only stopped giving them money when my bank (simple) changed their upstream bank and everyone got a new account number.

Yeah. When they make it hard to cancel I have no problem at all with people going through the credit card instead.

I'm thinking of one errant charge that showed on my credit card that I didn't make. I called the provided number, got a recording saying to contact them by e-mail. My bank was happy with that as having tried to resolve it with them first--the bank didn't consider contact by e-mail an acceptable alternative to the mandated 800 number.

That's a really good point. Some companies have pretty aggressive customer retention tactics. I've learned that when they ask why I'm canceling I just say "it's personal" and most of the time they let me go. But other times, they don't and it's very annoying.

Just tell them something insane, like unfortunately you're dead, or you've gone deaf, blind, and mute in spite of the fact you're talking to them in the phone.

Then, you're a outlier jasonkester.

Many companies I've dealt with have the "click button to sign up",

but the cancel procedure is "need to call during the 3'rd minute of the eclipse while sitting in a salt circle".

This has been endemic at all levels of recurring commerce. And gyms have been notorious for being damned near impossible to cancel, to the point of massive class action lawsuits.

Simply put, I'm willing to expend the same amount of energy to sign up as I do to quit a service. Past that, I'm reporting billing fraud, and I'll switch CC's if need be. Sorry if you're doing it right, but 99% of businesses that do it do it badly.

I’m not talking about a chargeback, I’m talking about blocking future charges for a service I’ve already tried to cancel, and run up against unreasonable resistance. There are no accusations of fraud involved. I agree that chargebacks should be used for fraud only, but if you inform a company that you’ve tried to cancel and are done with their service, that you will stop payments after a given date... the rest is very much their problem.

Let’s stop conflating this with chargebacks after using a service for the billed period ok?

If there's a button to cancel on a website, then yeah that's how you should cancel a subscription. But many business let you sign up through their website, but make you call them to cancel. They deserve to get nailed with a chargeback, it's a hell of a lot easier than calling.

Isn't this just the same as people reporting your promotional emails as spam rather than clicking the unsubscribe link though?

As others have pointed out, it's likely nothing personal against you or your company but rather just learned behaviour after dealing with rogue elements - which is/has been most other businesses to date.

Sounds like there's an unexplored opportunity for banks/cc companies and service providers to implement an integration API standard where the client could cancel the service through any of the parties.

Not that it's in the interest of too many providers, though.

Note that there’s an intermediate option, where you instruct the card issuer simply to deny future charges from the merchant. It doesn’t file a chargeback and it prevents new charges.

Those customer might be using leaked card numbers? The person who contacted the bank might have been the real owner of the card instead of the person who signed up for Twiddla.

This is possible, but in my experience this has never come up. Most of the time, a subscriber will indicate that they weren't expecting a charge, and it will be categorized as an unrecognized charge and I'll have to prove (to Stripe) that the customer signed up for this subscription.

But if the subscriber indicates that they think it's fraud, it's always been the case that they think it's fraudulent to have a subscription or some such thing — never that someone took their credit card and signed up for my service.

The worst incident was where a subscriber accurately described what happened — that he didn't remember it would be a renewing charge — and his credit card company insisted on categorizing it as fraud, even though he explicitly said not to. When a charge is categorized as fraud, Stripe makes you prove all sorts of things that are totally irrelevant where fraud/identity theft have not happened. I think they even asked me to provide a photocopy of the subscriber's driver's license.

So it's a real bummer when people flag transactions instead of taking a second to cancel their subscription.

The real bummer is that subscriptions aren’t centralised.

Unless the user subscribes through something like iTunes or PayPal, where canceling a subscription is user-centric.

The lesson here is: payment card providers need to get with the program and add a new category of charge-cancellation, specifically: user no longer wishes to continue with service, most recent charge reversed and further charges for this service blocked.

Careful what you wish for.

I used to use Amazon DevPay for S3stat and Twiddla subscriptions. It's "user-centric" like you describe, where users sign up for to pay for the service through Amazon, and can later tell Amazon to stop paying for it. My thing would get webhooks when those things happened so I could update my end.

But it was only user-centric, so if the user asked me to cancel their subscription, I couldn't do anything except give them a link to Amazon's page to cancel. I could have a Cancel button on my site to stop my end of things, but I had to give them a link and tell them not to forget to go over to this other site and perform the necessary steps to stop sending me money.

As you can imagine, it was not optimal.

I ended up on the phone with Amazon too many times begging them to please stop charging my customer money and sending it to me because neither of us want that to happen, and listening to Amazon explaining patiently that that is not something they can do. No sir, write back to your customer and tell them to re-activate their Amazon subscription then visit this page and click this series of links.

Stripe couldn't arrive fast enough. The day it did, my business was gone.

... and 5 years later I still had hundreds of customers who had signed up using Amazon DevPay, which doesn't have a way of transferring payment details (again, because "user-centric"), so every one of them ended up with the same professionally-embarrassing email exchange asking them to go to a 3rd party website and perform some complicated tasks that we weren't able to perform on their behalf. And sorry.

Yeah, that’s not ideal. The service provider needs to be able to cancel as well.

The lesson here is: payment card providers need to get with the program and add a new category of charge-cancellation, specifically: user no longer wishes to continue with service, most recent charge reversed and further charges for this service blocked.

Why should someone's most recent charge be reversed in that scenario? If they've agreed to pay for a service and potentially been using it during the current billing period, why is it any business of the card company's to provide a facility that forcibly returns money from the merchant to the subscriber in violation of a normal subscription contract?

Goodwill - presumably to cover the scenario where the customer didn’t get around to canceling before the end of the month.

As it happens, my own businesses sometimes will choose to refund under those circumstances. It does cost us a small amount every time we do it, because we still had to have resources available to provide the agreed service even if our customer decided not to use it.

However, we have absolutely no obligation to do that, either ethically or legally, and I don't see why it should ever be a card company's decision rather than ours. The job of any payment service is to collect payment from a customer and give it to the merchant. It's already bad enough with chargebacks, which as any merchant can tell you are sometimes abused with the merchant losing out through no fault of their own. The idea that there should be a normal, advertised mechanism through which card companies would retrospectively pull back money paid by the customer under a legitimate contract is legally nonsensical.

> is legally nonsensical.

I agree, and my initial iteration is probably going to far.

If its a legit subscription which is easy to cancel online, then I agree, its not nice to issue a chargeback for that.

However, if a company abuses darkpatterns to keep you from canceling (by making you wait half an hour in a _call_ for a service you trialed with a few clicks..), I have no issue with chargebacks.

We tried BlueApron and enjoyed it for the better part of a year. Easy sign-up, impossible to cancel online.

Out of sheer spite for this dark pattern, I went onto their site every week (via a paid search click) for over two years to cancel the next few shipments until they re-activated their (already existing, but not navigable) online cancelation form.

Google at least only charges the advertiser the first time you click on one of their sponsored links.

I would never process a charge back in this situation- I always try to contact the merchant by reasonable means first. Further, the last few times I have had to deal with fraudulent charges, my banks has always asked if I had attempted to contact the merchant- in one case they even called with me to insist that the merchant refund me (Having my bank on the line let them know I was serious about doing a charge back if they refused to cooperate- they cooperated).

What the OP describes though was a merchant making it difficult to contact them. I think in the case where the merchant insists on you calling them and fails to answer their phone, a charge back is warranted.

I just went through a compromised card. The bank alerted me as they considered the transactions suspect. They didn't even ask if I tried to contact the merchants. I denied making them (they were in a city I haven't been in in almost 40 years) and that was that.

When the bank flags it as a possible compromise, they probably don't. Different banks probably have different procedures, but when my wife's debit card was compromised recently, they asked her if she had contacted the merchant- she had not, as she didn't even know who they were. After she explained that, they proceeded to process her claim, but they did check.

Nord VPN handles this in a somewhat unique way among the subscription services I use. They send out an automated email 3 days before they charge for the next month. This seems like a sensible middle ground to me given the lack of infrastructure for services to notify card issuers of their intent to charge.

3 days seems too short though. 15/30 days sound more sensible.

30 days beforehand is too easy to forget that another charge is coming I think, at that point your previous invoice is basically that notification

Usually your credit card company will ask you if you've at least tried to cancel before doing a stop

I honestly tell them yes, because I’ve never done this without making (and recording) at least one good faith attempt to stop a service with full disclosure of the date I intend to stop payment if they don’t. I then don’t use the service if they fail to stop it, which at least morally is a key point.

I 100% agree with you if you’ve made a good faith effort to cancel. My earlier comment wasn’t about people that intend to cancel. It was about people that retroactively try to “cancel.” As far as free trials auto-converting, I am not sure why anyone would sign up with a credit card for a free trial in the first place. For my little business, a free trial is just that. You don’t give a card number until we have a reason to need it: meaning, you want to pay us. I am complaining about people that actually agree to pay and then attempt a retroactive cancellation by disputing the charge. The way I run my business is that I will gladly refund people that actually forgot but when their course of action is to dispute the charge, then I fight it fiercely because chargebacks cost me actual money. If I lose a chargeback, it costs me $15. A courtesy refund is gladly provided but accusing me of theft with a charge dispute — that’s an entirely different case.

As a very small B2C subscription-based service, we bump into this too. And it's rather frustrating. It seems like banks are super happy to let their customers dispute the charges, and so far we were never able to reverse this. Despite sending server logs, our terms and conditions, proofs of emails sent, etc.

For the record, we make cancellation very easy (one-click), and we send emails whenever we renew. And if someone forgot to cancel and emails us a few days or a couple of weeks later, we'll refund happily. But going to your bank and disputing charges is just too easy for people it seems, even for services that they clearly consumed.

I saw your other comment saying that you were able to "fight" this, but can I ask how? we basically gave up submitting evidence on Stripe, because the manual effort is pretty big, and we were basically never able to "convince" the bank (which seems to have the last word). The amounts aren't worth pursuing outside of Stripe, so we just eat those charges from time to time. Overall, they are still a fraction, but still frustrating.

(I work at Stripe.)

Sorry that is a frustrating experience. I used to run a B2C site and can relate; I also just ate any dispute. You can automate your response to them via our API (or build internal tooling to create a business process around this) if the number is material to you, but most software companies I know don't see that as the best use of their time.

We're working on various options for improving this part of the charging money experience.

Thanks Patrick. Yes, it's exactly the case for us. Automating the evidence submission has a poor ROI. Especially since we lost all of them when we manually submitted it (albeit only a dozen times or so, I don't have exact numbers, but we've given up seeing only negative responses).

Our dispute rates are still slim, and the actual financial hit is low, but it just feels frustrating and unfair.

There's also this fear that people would "figure it out" and start abusing it on a much bigger scale, but I guess this is not a realistic risk (or I'd like to believe so).

It would be awesome if Stripe helped. e.g. I can imagine doing a one-off or periodic reviews/audits and showing Stripe how we handle cancellations, refunds, etc. From then on, ideally Stripe has a pre-baked appeal ready for us and fights the banks on our behalf. Is it too much to ask?

Nothing is too much to much to ask for.

We’re aware that the experience of even low levels of disputes is a real sand-in-the-shoe irritant for companies operating entirely aboveboard. We have some ideas for products we could make to ease this.

If you’d like to hear more about this, drop me an email. (This handle at stripe.com works.)

Glad to see that you and GP both run your business like I run mine — I follow the same procedures you describe here.

To answer your question, I have also lost Stripe challenges even though I've provided server logs and such. But sometimes I win. It seems almost random. Usually when I win it's a long long time later, and there was no apparent reason. Sometimes it helps to forward an email from the customer stating that they didn't actually mean to flag the transaction, but that they just wanted to cancel.

Man, you have great banks over there (and I never thought I'd say this about US banks). It took me eight months to convince my bank to cancel a payment for some concert tickets that were never delivered... and then the ticket company decided to refund the money on its own, so the bank never actually did anything.

Chargebacks are a good way to get your account closed with service providers. Google, Apple, Steam, and many others will lock your account without a second thought when you start issuing chargebacks.

How do you stop individual payments? Is that something that you get as a service? Because in my (limited) experience in different countries I don't think I can do that.

My bank (Bank of America) lets you create temporary credit card numbers. They are linked directly to your actual card, but can be revoked individually.

I don't know about that... I was sure it would work, but I'm not so sure anymore, after Avis managed to charge me 25EUR on an _expired_, _debit_ Mastercard that had 0 EUR in it (bank simply took upon themselves to automatically perform currency conversion from one of my other accounts so that they'd cover the negative balance). I never thought something like this would be possible. (it was a fee for supposedly "processing" a traffic ticket; they didn't pay it for me, or send the ticket to me - the fee was for taking the time to inform authorities who drove the car; they said I'd receive the ticket separately from the police, which I never did).

I contacted the bank, and they said if the charge was not fraudulent (1), there's nothing I or they can do. Apparently the merchants can back-date transactions like that to a time when you interacted with them and the card was valid; I'm not exactly sure how they can charge an empty debit card though, but apparently they can do that too (because they pre-validated that I had a certain amount at the time of rental?).

(1) It wasn't; the contract said that they can do that, and I actually could use a ticket reference number that they quoted to verify on the police site that there was indeed a parking ticket issued to the car on the day that I dropped it. To this day I'm not sure if it was me who committed a parking violation, or the next person who rented the car, after me. It is mildly plausible that it was me - that morning I parked in a legal parking space, but slightly outside the allowed "lines" (another car was taking a third of the only remaining slot, and I parked a bit outside of it).

The payment card system consists of two entirely parallel mechanisms, with different purposes.

One of them ("Authorization") is about verifying that the payment has been authorised by a cardholder, and is there to protect the issuer against fraud by their own cardholder and perhaps if you squint, to indirectly protect you from thieves. This has been the focus of technological innovation, up to and including EMV ("Chip and PIN"). It's also completely optional, most cardholders have no idea that's the case.

The other mechanism ("Settlement") is about taking money from the cardholder's account and putting it in the merchant's account. This is done entirely on the honour system, always has been, probably always will be, none of the technological improvements touch it significantly. It's mandatory in the sense that without it the merchant can't get their money.

Avis doesn't need Authorization to get your money, they only need Settlement. And like I said, it's on the honour system. Any merchant in the system can just tell the card network "Hi, card number X gave us $418.26" and they'll get $418.26 of X's money in their account. No need for any other steps.

Now, if you dispute the transaction the issuer _might_ say, well, wait, how do we know they agreed to pay $418.26? And then Authorization matters, the Authorization can prove somebody swiped a card, or typed in a PIN, or whatever. Without Authorization the issuer might choose not to pay. But there's no guarantee as you found, unless a government regulation forces their hand why should they care - it isn't their money?

This reliance on the honour system means that e.g. even though EMV has anti-replay features that mean Authorizations can't be re-used about once a year or so in the UK you'll have a news story where some big merchant like a supermarket or fast food chain will double charge all card customers for a day. What happens is the Settlement data just gets accidentally run twice, maybe it's a physical magnetic tape, or a backup copy of a file, or some new server boots up and re-runs yesterday's Kafka stream. Settlement has no replay resistance so even though all these transactions are duplicates that goes undetected until customers start phoning up angrily and their bank realises what happened.

To a first approximation nobody checks Authorization. If you wanted to be an asshole you could try it out, ask your bank to reverse a random fraction of all your transactions. When you get a bill, pick some at random, phone the bank. Insist those are bogus and you've never heard of them. In most cases the vendor has no usable Authorization records and will just write it off, they were entirely reliant on getting paid on the honour system. Obviously if you're unlucky you'll pick someone who can prove you owed them money and is angry about it, so you may not want to try this after all.

You might think this situation is crazy but it's more common than you realise. There have been a lot of grave problems with SSL/TLS over the years. But there aren't many examples of actual consequences in practical terms. Mostly it seems as though there actually aren't bad guys trying to break your secure communications, so even if it would be possible they didn't try. Huh.

Oh wow, that makes perfect sense, thank you for writing the long reply. So you're basically telling me that it's only "authorisation" that checks the balance, and "settlement" doesn't? (I guess that also makes sense, now that I think about a few other things I noticed).

How about the case I mentioned? If I told the bank "I did not authorise Avis, would Avis have been able to somehow "prove" that I authorised the transaction (I obviously didn't; the card was expired when they charged it; but I did have a signed contract with them, is that enough to directly take money from my account? Feels like it shouldn't be enough, not without a court getting involved).

What Authorisation checks is up to the issuer. For most accounts the bank does NOT promise to prevent you from spending beyond the limit. That limit is for their benefit not yours. A regular EMV card has some limits programmed into it by the issuer like "I'm not allowed to say yes to more than $500 of spending without going online to my issuer" but the issuer chooses what those are, not you.

Whether the bank has to take your side will depend on law where you are more than any technical facts. That signed contract is going to be a factor, and you giving Avis the card (even though months before and without expecting to pay this) would probably matter too, I'd be surprised if the issuer or the law was OK with something like "We found this card number on an unrelated payment from years ago so we charged it".

I mostly think this should be "fixed" to be stricter, but let me briefly take the merchant's side. Suppose I check out from a hotel one morning. $120 for one night sir, thanks for staying with us. Two hours later cleaners find the room is trashed. I've ripped up the carpet, a chair is in pieces, the wall TV has been attacked with a knife. Why the hell shouldn't they be able to try putting it on my card? Should my bank really refuse if I have the money, and force them to take me to court to try to get their money just because I didn't authorise the charge? Realistically it's not in anyone's interest to insist on that except bad actors.

> Should my bank really refuse if I have the money, and force them to take me to court to try to get their money just because I didn't authorise the charge?

Yes, absolutely. Are you seriously arguing that anyone should be able to claim money from your bank account without either prior authorization by the account holder or independent arbitration? Bypassing the courts in cases like this serves no one's interests except bad actors.

Dumb question. How much longer till we run out of credit card numbers? Sure 1,000,000,000,000,000 (1 quadrillion) is a large number but the actual usable number is smaller isn't it since there is some kind of checksum system

If you are interested, you can purchase the current specification for the low price of only $68 [0].

Based on wikipedia [1], the first 6 digits are used to identify the issuer (although from looking at this listing [2], it appears to be standard practise to assign some institutions blocks of IINs, and given that an institution could control multiple IINs, it is probably relatively safe to consider these to be part of the unique card ID. When we start to run out, we will probably see a market for these emerge in the same way we see a market for IPv4 subnets today.

The only area of fragmentation where I see potential trouble for secondary markets is the first digit, which is restricted by industry (banking only has 4,5,6); but if it ever becomes an issue, I am sure they will re-purpose the address space of other industries for banking

This leaves only the checksum digit itself of deeply problametic for maximum utilization; and that is literally a single digit.

[0] I wish this were a joke. https://webstore.ansi.org/Standards/ISO/ISOIEC78122017

[1] https://en.wikipedia.org/wiki/ISO/IEC_7812

[2] The official listing is not publicly available https://www.bindb.com/bin-list.html

I don’t think we’ll ever have the same issue with PANs that we have with IPv4. There’s never been a standard length for PANs, they already come anywhere between 15 and 19 digits, and simply tacking more on to the end doesn’t present the same challenges as it would have done with IPv4. A lot of organisations that process payments wouldn’t even have to change anything, and those that did would have a pretty strong insentive to do so (to continue getting paid).

There are a million sites out there with credit card forms with 16 digit validation for Visa and Mastercard, so it wouldn't be entirely painless to introduce extra digits.

It’s not really the customer facing web apps that would be a problem here. But I can tell you, anybody who’s tried to do validation on credit card numbers has experience with failing at doing validation on credit card numbers.

The APACS 70 standard allows for a maximum card length of 19 digits, so tacking more digits on the end isn't going to work with current message formats. IIRC ISO 8583 also has the same limits, although that message format is somewhat more flexible than APACS 70 so could probably be tweaked.

It would of course require a massive amount of work across the board, so it's very unlikely to happen.

Using all 19 digits is tacking more digits on, for practical purposes.

And it really should be enough. With 10^18 numbers you can allocate 1000 numbers per day to each of 10 billion people, and go 10 years between reusing numbers, and still have only a few percent of numbers reserved at any point in time.

It wouldn’t actually be across the board though, the number of organisations that actually interact with AS 2805, APACS 70, ISO 8583... is orders of magnitude smaller than the number that have interact with IPv4. I think you’re also overestimating how robust these standards are, I’ve never seen two implementations of ISO 8583 that were the same, and I’ve seen some that would process long account numbers without issue. But the real difference is that every stakeholder has a vested interest in keeping their networks operable. Your average consumer doesn’t know what IPv6 is, or who the IETF are, and won’t take kindly to being told they should spend money to fix a problem they created decades ago. Banks don’t have that issue, and those standards aren’t nearly as entrenched as IPv4 is.

I never saw two implementations that were the same either, it was a particular annoyance, but they all defined the PAN as n..19 IME (and 19 was indeed a rare case generally seen with now defunct/less popular card schemes so there's proabably still room to fill).

It's true that the number of organisations that interact with the message formats for sending card transactions is significantly smaller than other things, but we're talking about every single bank, every single PSP, every single embedded card device, and probably many more organisations beyond that, currently in operation today. Given the glacial pace of most banks' IT operations I would not expect them to do be able to achieve this within a time frame of several years or perhaps even a decade.

Sure these are not the same challenges as IPv4 and such, but it is in no way a trivial change to tweak a message format that has been in use since before most HN users were born :)

Even if we cut out that the first 2 digits represent the network (i.e. Mastercard/visa) and cut another checksum digit at the end, it leaves us with 1 trillion numbers. That's about 150 for every living human on the planet.

Then factor in that CC numbers have an ~2year expiry date and a 3 digit CCV number, so old numbers can easily be reused.

Further the name of the holder could be added as a key to the number, further increasing reuse.

We won't run out of CC numbers anytime soon.

The key is credit card number + expiry date. Cards can share numbers as long as the expiry date is different.

No they cannot. Most customers keep the same CC # and get a new expiry and security code when renewed.

Yes you can't "share" numbers (in the sense of 2 people having the same CC number), but what you describe prevents a new number to be needed (so it is one less new number needed)

Where? This is not common practice where I live, in fact, it's the first time I've heard about it. Interesting!

Do you have a debit or credit card account that you've kept open through a few expiration dates? An old card maybe? Compare it to your current one.

It's always a new number. Shortly before the cards expire, you're issued a new one. That's how it's been for me for this whole century.

This isn’t true, the same PAN (Primary Account Number) is never issued to two different accounts. Even if you wanted to solve all the payment routing problems this could cause, it wouldn’t be possible to implement. The expiry date can change while the PAN stays the same, so you’d never be able to gurantee a unique key today stays unique in the future.

I used to work in a bank where we had to specifically implement routines for when visa reused the PANs...

There was a period between the old expiration and the new issue and not common, but it did happen from time to time.

I should have been a bit more verbose. Two accounts won’t have the same PAN at the same time.

Which is notable, but doesn't matter in the context of "running out of numbers"

Seems to matter a lot for IPv4.

Being able to recycle numbers is the difference between "this can work for a few years at full scale" and "this can work forever". IPv4 can't even reach the first level. It can't even give out one address per human.

I'm sure you've seen the idea that an upgrade to IP could have just added another octet or two and changed nothing else. It would have worked pretty well to prevent us running out of addresses, with 40 or 48 bits.

Well, 16 digit credit card numbers are a hair under 50 bits. And full-size 19 digit credit card numbers are a hair under 60 bits. That's plenty. You can give out a million of them to every person. If we couldn't reuse, they would eventually run out. Because we can, they won't run out.

For example, last time mine renewed I found out that AWS didn't record the expiry date. I only have to update the CVV.

It's less of a problem because expiry dates add another variable (though I'm not even sure if issuers had to reuse a number with a new expiry date)

Also CVVs won't match even if you reuse the number

I wish my bank offered that as well but another option offered in some countries including mine is to buy a prepaid MasterCard gift card.

Now such gift cards aren’t perfect — you have to pay a bit extra, but for the purpose of signing up for a trial period with any company that automatically turns your trial into a subscription and which is known to make it difficult to cancel the trial it might be a good idea.

However, before even signing up for a trial with a prepaid gift card one needs to be sure that one is not entering into an agreement that legally binds you to a subscription.

I recently bought a prepaid gift card that I intend to use for a 7-day trial with a company that is known to make it difficult to cancel. But I will only sign up for the trial if the automatic subscription is not legally binding.

> However, before even signing up for a trial with a prepaid gift card one needs to be sure that one is not entering into an agreement that legally binds you to a subscription.

This gets to the heart of the matter: it shouldn’t be possible to sign up for a legally binding automatic subscription for a pure service. Customers should have the liberty to leave at any time without incurring a fee.

If I can sign up in under a minute I ought to be able to leave in under a minute.

I tried this feature from my bank (not BofA) several years back. It didn't work as I expected. Even after revoking the card, the merchant was still able to charge me and the amount was just posted to my "real" card number.

I called and complained and the customer service told me that once I had authorized the merchant to charge me, they would accept any future charges even if the card number was closed.

Just curious, have you actually used BofA's service? Maybe the implementation is different now...

If it works, it would be a great way to limit those automatic renewal situations.

Citi offers the same but their UI is still in Flash


Been using it for years. Great service.

Came to reply with this. I've been using it for years and even managed to get my wife on board. Don't tell them but I'd be willing to pay a small amount for this service. Any company I deal with that has a recurring payment and makes cancellation painful just gets cut off instead. Major time saver. My one complaint is that some large vendors identify their cards as gits cards and won't accept them.

Unfortunately only for US residents.

I just speak to my credit card company, tell them exactly what’s going on and that I’ve tried to stop a subscription or service, that I’ve stopped using said service and have recordings of the attempts. This is in the U.S. for the record, I don’t know about any other country’s credit card companies, sorry.

If you’ve tried to cancel a service, stopped using it, and stop payment... well, the rest is their problem.

If you're going to play that game, you'd better be very sure that you can prove you made all reasonable efforts to cancel the service. Otherwise, blocking a payment method does not absolve you of any obligation to pay for something you agreed to, and you can be pursued for the money (and often interest/fees/legal costs), and if that's all there is to it then you will lose in court if things get that far.

In practice this never happens. I wouldn’t worry about this unless it has happened to you at least once.

It happened to me with 1and1.com. They renewed my domain name (for one I didn't care about) and my card had already expired. So instead of not renewing the domain, they renewed it and then billed me and sent it to collections. It hit my credit report but I mailed the collections agency a dispute asking them to prove it was a legitimate debt and they ended up dropping it. I don't do any business with 1and1.com anymore. This was back in 2012.

Wow, now there's a blast from the past. I've had nothing but bad experience with 1and1, as a result I also no longer do business with them anymore.

In practice this never happens.

Why do you think that?

Because I’ve done it a few times and nothing happened.

I run a small SaaS and people sign up, forget they signed up and then dispute the charge. I have always won those disputes. A failure to cancel isn’t the same thing as you were charged inaccurately. How am I supposed to know you intend to cancel without you actually cancelling? Should I just lock people out of their accounts each month until they proactively renew? Subscription pricing is just that: subscription pricing. If you want to buy a single newspaper, you pay a higher price than if you are a subscriber? You get a cheaper price because you are subscribing. So how do I know you actually “cancelled” if you didn’t? Am I obligated to provide you service and then you decide after the fact that you don’t want to pay? Newspapers don’t refund your past subscriptions just because you claim you didn’t read the paper. That’s not my problem. A subscription is a contract, an agreement, a deal. When you sign up for something, you are agreeing to the terms. If you don’t like them, don’t sign up. But disputing a valid payment is nothing more than theft. Forgetting you signed up isn’t an excuse. Of course it’s a different story if you did cancel and they keep billing — that is absolutely wrong. But just because you forgot isn’t a valid excuse. How are we (the service provider) supposed to know if you forgot? We are still providing you the service — whether you use it or not isn’t our concern just as newspapers aren’t obligated to ensure that you actually read the paper every day. Auto-renewing free trials however, that is a bit deceptive, so I agree with Mastercard’s approach.

I agre with the sentiment but disagree with the conclusion.

My approach to customer payment is that i don't want your money unless you're happy with the service so if you've gone as far as stopping payment with your card provider, I'll take that as a sign you don't want to be a customer anymore.

I never dispute chargebacks, but instead try to get the customer to withdraw it and behave like an adult, letting me refund and cancel his subscription like we would have had he simply asked.

There's no situation where I'd consider chasing down a customer who didn't want to pay to claw back my fourteen dollars. In my mind, it's not mine to have if he doesn't want me to have it.

> I never dispute chargebacks, but instead try to get the customer to withdraw it and behave like an adult, letting me refund and cancel his subscription like we would have had he simply asked.

I've tried to do this too, but unfortunately you're in the position of asking a former customer a favor, and you can't give them anything in return. They end up in the same position (getting refunded), but have to waste time on the phone with their bank. It's a tough sell, in my experience.

As the sibling comment already pointed out, getting the customer to reverse the dispute is a losing battle. They already got what they want.

And we're happy to refund, just drop us an email. But going around us to your bank leaves us not only with the refund, but also a chargeback fee, plus it hits our merchant reputation. Granted, it's a tiny fraction of all transactions (because we don't use dark patterns), but just feels really unfair, and not the adult thing in the first place.

I guess both our small business and the customers (and even banks, having to process disputes etc) pay the price for all those big-co contracts that are notoriously hard to cancel.

Can you let me know the name of your SaaS so I can add it to my blacklist? Thanks.

> But disputing a valid payment is nothing more than theft.

I'm always happy to steal from companies that turn my free trials into subscriptions. I'd steal more if I could.

You're coming at this as if the service provider is innocent, and merely providing a service. But we're talking explicitly about companies that give you free trials with the "asterisk, ps, you will pay real money in for this every month on this".

> But we're talking explicitly about companies that give you free trials with the "asterisk, ps, you will pay real money in for this every month on this".

No, this subthread is definitely about cancelling services in general.


As in you were skimming through the signup and didn't notice the part where you typed in your credit card details and clicked the subscribe button? That seems unlikely.

If you don't want to buy something, the best policy is not to buy it. Then you won't have bought it by accident and have to get your bank involved to unbuy it.

You said in another comment that your service requires explicit user action to convert from free trial to paid subscription.

So why are you pretending not to know the difference in this comment?

Then perhaps you've just been lucky. Sometimes merchants might decide it's not worth the trouble to go after you for a small amount, for example.

For comparison, I work on a service that uses recurring billing, and we have wording in our legal terms specifically so we can go after you for things like the cost of recovery as well if you abuse us like this. Our lawyer didn't include those words just for fun.

Abuse? I record all calls I make to customer service entities, with the opening, “Hi, I’m recording this call.” So yeah, in the four or five times I’ve had to do this, no one was dumb enough to take me to court, and if they did they’d lose. I make sure that I don’t use a service without paying for it, I make it clear what’s going happen and tell them to stop the service and that I’m going to stop payment. If they can’t manage that, by all means, talk to my attorney.

When the phone tree says “this call may be recorded”, thank them for granting you permission.

If you don’t consent to being recorded, they are required to serve you in an unrecorded line. And if they cannot, then you have been denied service. And if you’re denied service, you cannot cancel. So run the chargeback.

Um, no. That's not accurate at all. Maybe it's different outside the US, but many states are "single-party consent" states, meaning you don't need permission to record them and vice-versa. The biggest reason that many companies disclose the fact that they're recording the call is that you might be calling from a location that requires consent from all parties; they want to cover their butts.

I was mostly referring to here in California, but it would also apply to: Connecticut, Florida, Illinois, Maryland, Massachusetts, Montana, New Hampshire, Pennsylvania and Washington.

In your earlier comment you said you cancel charges rather than dealing with "customer service".

It's only reasonable to interpret that as you not calling at all. And in that case it would be abuse to file a chargeback.

It seems like that's not what you actually meant, and you do call first? Great! But you shouldn't be confused that people misunderstood your earlier comment.

You're talking about a situation where you have demonstrably tried to cancel. The rest of us were talking about a situation where someone cancels payment but not the contract. Both legally and ethically speaking, those are entirely different scenarios.

How many users do you go after per month?

Not very many. We don't use dark patterns and make it easy for people who want to cancel a subscription, so it's not a problem we have for the most part.

But on the relatively rare occasions that someone has been abusive -- the kind of person who repeatedly tries to sign up under different aliases and get a bit more for free in violation of terms, for example -- we can and sometimes do take action, and we have never lost.

It's a little disturbing that so many people's reaction here is apparently a form of wilful ignorance. You can downvote or make comments about how this has never happened to you or talk to your attorney or whatever if that makes you feel good, but your opinion does not change the legal situation: cancelling a payment method is not generally equivalent to cancelling a legally binding contract, and the advice to rely on doing so could lead to people being the wrong side of a real legal action, paying recovery costs that far exceed the original size of the debt, damaging their credit, etc.

Don't you have to lie at some point that a vendor is committing fraud in order to do this?

As I’ve had to say several times in this discussion, no. I am not using the chargeback festure.


If you don't recall signing up in the first place it isn't fraud. Fraud requires intent.

So you wouldn't consider having #f0f0f0 color text on a #ffffff background in 2pt font stating that it's a recurring $bignum payment each month as a fraud? Dark patterns are certainly a thing...

Just how much notification and approval is needed before it's not fraud or otherwise deceitful and questionable legality?

If a user disputed a charge that was presented in that way, then the chargeback isn't fraudulent IMHO. The user didn't know that the charge was recurring.

Services shouldn't be telling users a charge is recurring, users should be telling websites that they want to auto-renew. The default should always be a non-recurring charge and selecting anything else should require an email confirmation.

> must let you cancel subscriptions online

When I had a Xbox I remember that it was SUPER easy to register for Xbox Live Gold (online, done in a few mins, right from the console itself!), but then when you wanted to cancel... there was no menu anywhere. You had to go to the website, find an obscure page with a phone number you had to call, and spend 10 mins on the line with a representative to cancel your subscription.

Needless to say, that was the last time ever Microsoft got my money with the Xbox.

The only way to get around this (in the united states) was to set your address to Chicago. I assume some local statute required this.

California requires this now as well: if you sign up online, you have to be able to cancel online.

You could always cancel online Setting your address to Illinois allowed to turn off auto-renew, which was not possible to do online otherwise.

In Germany, everything has to have the option to cancel in the same way you signed up. So if you sign up online, you will be able to cancel online.

That's such a sane, common-sense law. If a company has the resource to allow online payment processing, they sure as hell have the resources to allow online cancelling. So the only reason they wouldn't have it is to make it hard for you to cancel.

I think this is common all over Europe. You also have the "right to regret" so within 14 days of buying stuff online you can cancel and refund it no questions asked by law.

In fact, in my country there is also a requirement that the companies send you a information about this right and forms you can fill out to complete the request with the order confirmation.

You also have the "right to regret" so within 14 days of buying stuff online you can cancel and refund it no questions asked by law.

Although this comes with some caveats. The consumer protection rules for distance selling are very strict in the EU, but if you're buying something like digital content, it's obviously not reasonable to say someone can pay today but can't then be provided with what they've just paid for for 14 days just in case they decide to cancel. The law does provide for giving up those cancellation rights and getting the content immediately, as long as it's clearly stated at the time of purchase that this is what you're doing.

Yes, if you buy digital and download the content you can't refund, but that's about the only way you can "give up" the right i think?

I think that may even be an EU-wide law - I believe it's the same in the Netherlands, although it was introduced not that long ago.

It might be, it's always hard to remember if some piece of consumer protection is EU or German, both like doing that ;)

Tivo, a California company: "We currently don’t offer the ability to cancel service online."


They deserve a public and vocal PR backlash over this.

Same with the Wall St. Journal.

And "The Economist", was very annoyed/dissapointed to find that out

You can just email them with your CRN saying that you wish to cancel. That's okay with me.

I've been using SiruisXM for years, and they have been more than happy to continue their lower initial price - or one very close to it - indefinitely, provided you call them once a year and threaten to cancel right here, right now. Why on earth they insist on this game instead of just giving me the price they and I both are happy to agree on is anybody's guess, nevertheless this is the case. I guess a lot of people give up and pay the higher price? Never had a problem with their service reps though. Answer times were reasonable and as long as you make it clear you'll really cancel if you'd not get a reasonable price, it didn't take a lot of time overall.

> Why on earth they insist on this game instead of just giving me the price they and I both are happy to agree on is anybody's guess, nevertheless this is the case.

Because you're not an individual customer to them. They look at customers as if they were a liquid, so they don't bother with individual liquid molecules. If the customers want to flow up, but they want them to flow left, they'll insert some stupid block in the flow path. It doesn't matter the liquid will splash, and some individual molecules will get lost. As long as most of the customers flow in the direction they need, that's all they care about.

Everyone in my family has been doing this for years.

I even tried just asking the first person if there are any promos available, to try and skip the song and dance. But they said no. "OK, then I need to cancel." And you're sent over to someone who can get you back down to your prior rate.

I always tell them that $5/mo per radio is the most I can justify paying, and it always works. Then set a reminder to call them again in a few months. Often they'll tell you directly to call back before the promo expires so they can ensure you get back on one. My next reminder is for February 15.

My fiancée got a new car that included SiriusXM and she activated the free trial. Sirius called the car via onstar to give her a sale pitch and try and get he to activate XM radio. When it happened while I was in the car, she said that was the third time they did that.

Reason why I just using a 3rd party between the business and my credit card. Have no problem with a 3rd party taking a cut but standardizing the whole process through a single interface to cancel subscriptions services without needing to go through all the crap.

Sounds pretty cool - what service do you use?

privacy.com works well for this sort of thing

Anything for non-US residents?

Citibank, BofA and others let you create virtual credit card numbers off of your actual credit card. These numbers can only be used by one merchant, and you can specify the max amount they are able to charge, as well as how many months the number is valid. You can delete your virtual number any time. What does privacy.com have that is better?



sounds the same, works with any bank account

The worst is newspapers. 3rd parties bundle a bunch of them and you have to be sure you cancel all of them. You call and they will fight you about it and actively try their hardest to "lock you in for another 3 months at only x/mo."

SiriusXM TOS says you are still liable for the charges in this case. It will be sent to collections.

They won’t send to collections, not worth their time or money. It’s just a scare tactic. I blocked payments on them, no collections. Although they do still spam me with come back offers.

The worst company I've ever had to deal with regarding cancelling a trial is the Wall Street Journal and all of the sub brands it owns. In order to cancel, you HAVE TO call in and sit through an aggressive sales pitch.

Not so fast! The press release is sort of ambiguous. It sort of seems like they only added an additional rule for the merchant to send an email or text with instructions on how to cancel before billing. To me it seems like the first of their statement announces what they've done and the 2nd part tells how they've done it -- with an email to cancel. It's not clear that the same email will require the user to click confirming the charge.

"The rule change will require merchants to gain cardholder approval at the conclusion of the trial before they start billing. To help cardholders with that decision, merchants will be required to send the cardholder – either by email or text – the transaction amount, payment date, merchant name along with explicit instructions on how to cancel a trial."

This would literally kill a few businesses here in Germany that rely exactly on that dark pattern.

This is one thing which is quite ridiculous in Germany for all contracts - phone, Internet, electricity, gas etc. Once, I had a bike sharing company which charged me 3€ the next year after I forgot to cancel it the year previous. They sent me an e-mail saying "intimation is not needed". I told them, they sent me 100s of marketing e-mails which wasn't needed too. Couldn't they send one reminder before they continued the charge? They just didn't get it! Admittedly, 3€ was not a big amount but the business practice was purely unethical.

Same experience with German gym memberships. My 2 year contract will automatically renew in August if I do not cancel it 30 days in advance.

Unfortunately I think the German bad actors would continue with their business as usual.

German companies like this prefer to treat recurring billing to a cancelled credit card as a delinquent account. They'll keep the service 'active' nominally, but refer payment to a collections agency ("Inkasso"), who will then send bills, threatening letters from lawyers, and bills for the threatening letters from lawyers. Worst of all, it seems like German law is a-ok with this practice.

And may they rot in hell.

The worst offenders cancel the trial period as soon as you take away payment.

Looking at you, Pluralsight.

I don't see why that is so offensive. Businesses aren't offering these trials out of charity, they're doing it to give you a chance to see if you want to become their customer, as a form of marketing. If you've clearly demonstrated that you have no intention of continuing to that point in the relationship, why should they have any obligation to continue giving you stuff for free anyway?

I always cancel the subscription after entering in those trials, because if I don't like the service I will forget about this service and probably will be billed at the end of the next month, generating a nunnecessary headache.

If I like the service and want to continue to use it after the trial period, I simply re-added my billing information.

Cancelling the trial if I remove my billing information during it is unfair because it is just another mechanism to make consumers forget about the service and being billed by a service they don't even use.

You seem to be arguing that you've started a trial because you're genuinely interested, you're aware enough of the trial to remove your billing information, yet stopping the service when you do so is unfair because you might forget and then be billed for a service you're not using. If you're not using it, why is it a problem for you to have the service stopped when you remove the billing information?

genuinely interested != want to continue to use the service.

Yeah, I may be genuinely interested enough in a new service to create an account and even put my CC information to have access to the trial [1]. However it does not mean that I will like the service and want to continue to use it.

The best way to avoid having a surprise in my CC at the end of the month is to simply subscribe to the trial and afterwards cancel any automatic billing. If I don't do it when I am creating my account, I will forget it later. Yet I will continue to test the service until the end of my trial.

Now if you simply stop my trial is unfair. Why would you want to keep my billing info until the end of trial is beyond any good reason except to maybe try to make me forget about the whole thing and gain some money on people that forget to unsubscribe for services they don't use.

[1]: Multiple times they ask CC information to know if it is a genuine prospect (a.k.a. someone that can really pay for the service later, instead of a bot or something). So it is ok to ask for CC information for trial periods, it is not ok to cancel my trial just because I removed my CC information.

This still doesn't make sense to me. How are you genuinely interested and continuing to actively test the service for say a month of trial period, and yet somehow simultaneously forgetting all about it and not cancelling before the end of that period if you decide it's not for you?

You got this the wrong way around. What reason do they have for charging me automatically at the end of the trial period? Okay, payment info is a neat way to prevent starting new trials somewhat, but why the automatic charging if they want to convince me of the value of the subscription? The only reason they do this automatically is because they want to charge the people who forgot to cancel. What other reason would there be?

What other reason would there be?

Because any friction in the sign-up process reduces conversion rates, often dramatically in cases like this. Importantly, that applies to customers who would otherwise decide to continue just the same as to those who want to cancel but forgot to do so.

Remember, the only reason a business is offering you a free trial of anything is normally to increase the chances that you'll decide to stay with them and pay them money. If you don't like that arrangement, no-one is forcing you to sign up for the free trial!

Obviously it's scummy behaviour if a business signs you up for something in the small print and then makes it unreasonably difficult to exercise your right to cancel. I don't see anyone disputing that.

But if someone has knowingly signed up for a trial, if it was clearly stated up-front that if they don't cancel before the end of the trial period then they'll start paying to continue using the service, and if a reasonable means to cancel was provided, I just don't see the problem here.

I guess because some businesses claims it is for verification purposes (because hoping you forget it would be a dark pattern).

I'd say if it is really for verification I can perfectly understand why a customer removes it after verification if they are still not sure if they are going to stay with the service or not.

Being smart about this can save you a few bucks a year (and/or some hassle).

Personally I just don't test products that require cc for free trials. Saves me even more hassle.

Because that's the offer they made.

Removing a payment method doesn't equal saying that you never want to use the service again. It can be a protective measure against automatic signup to a paid service.

And removing the service when they remove the intent to continue can be a protective measure against people signing up repeatedly to your free trial but never having any intention of ever paying you any money. Why is that unreasonable, if it's also clearly part of the offer being made?

the CBS app did this to me. I signed up for a free trial, watched some Star Trek, and then cancelled. it immediately cut off all my access, and I didn't even get the duration of the month to use. The month that I had paid for.

If this was on iOS then this is explicitly in Apple's guidelines not something that CBS mandated. The guidelines say that any remaining time on a free trial must end immediately if canceled early.

So was it a free trial or were you paying for it? Your comment seems contradictory.

And the million of adult sites will change their billing schemes too

> they required you to commit a CC

it's not always that type of scam. services that feature some kind of content upload or distribution ask for cc also to have some sort of hard-verified identity, to prevent service abuse.

Yup. Same thing with Blendle: the advertised "free trial" actually costs 1 cent for two weeks, and by confirming that payment you automatically commit to a paid subscription following those first two weeks.

Needless to say, I didn't pay for the free trial. It's a shame, because I think their business model is the right way forward. But I will not support such practices.

Have Blendle changed business model?

I thought with Blendle you paid for reads, not for days/weeks/months?

Cannot recall having seen any charges for Blendle since last time I used it.

it's not CC brand though, that's like saying Toyota it's electric car brand

I've had plenty of Visa and MasterCard cards and never had credit card

I'm 100% in favor of this - if your business includes people paying you without realizing it, or making it difficult or costly to cancel, you shouldn't be in business.

However, won't merchants simply stop using free trials and go to a "$1 for 14 days" or similarly impulse-driven model? Sure the conversions compared to free will be tiny but impulse buying is a real thing and dumping someone into a $50/mo subscription after their $1 two week trial would still be complying with this new rule.

We really need better consumer protections. I know there has been more talk that the ability to cancel must be as easy and the same manner as sign up. I'm surprised but glad that Mastercard is helping in this way. It would be great if they also added that other protections that are designed to take advantage of poor and disadvantaged people like 20%+ interest rates and high late fees.

It's important to distinguish between things designed to take advantage of poor people, and completely reasonable penalties/structures that happen to affect poor people more because, not surprisingly, it's hard not to have money.

20% interest is not inherent a bad thing and shouldn't be outlawed out of hand. If you lend me $20 today and in exchange I pay you back plus buy you a beer on Saturday, that's an astronomical interest rate.

I co-own a brick and mortar business and we charge the maximum late fees allowed by law because people paying lay absolutely destroys our cash flow. It's not because we actually want the late fees - we'd much rather have people pay on time and be able to accurately plan for less money than have an influx of onerous fees. It's not uncommon for a profitable business to fail because cash flow is a problem.

I have very good credit and I recently got an offer for a credit card with a 29% interest rate.

The reason I know this is because of consumer protection laws. Otherwise this number would have been hidden in the very very very fine print of some page somewhere.

20% of $20 has a MUCH smaller impact on someone who is suffering financially than 20% of $1000 so your analogy is not really the same in terms of impact.

Suffering financially has a pretty wide band. If you make $100k but only save $100 or save nothing, I’d say your suffering financially.

If you work minimum wage and have a spouse or even just kids to support, 20% of $20 isn’t chump change. You have to make every penny count. You’re in an extremely difficult position.

Instead of attacking the specifics of an example given off the top of my head, try to understand the point I'm making.

I signed up to the WSJ recently. Paid for it for one month and then decided I didn’t like their reporting, especially some things which I felt are dishonest or opinion pieces which were highly offensive and discriminatory points of views.

Anyway, you can’t cancel online. You have to physically call a number. I ended up putting it off just until the day before they were going to charge me again. Seriously, FU wsj.

Link to original source:


HN Guidelines say: "Please submit the original source. If a post reports on something found on another site, submit the latter."


OK, we've changed to that from https://www.theverge.com/2019/1/16/18185468/mastercard-free-.... Thanks!

VISA sent Netflix my new card details. I thought since my card was new and they didn't have the numbers and happened to lose my job at the same time thought I was safe and was just going to quit Netflix. Instead visa sends them the new numbers so I don't have a "disruption of service". Not cool visa.

This is absolutely routine in the card payments industry and has been for a long time. People don't like having legitimate recurring charges disrupted just because their card provider mails them some new plastic every few years.

If you want to cancel a service, cancel it with the service provider. Do not rely on anything to do with any payment method that you happen to believe might cancel it. Those mechanisms are for exceptional situations like an abusive merchant who has made it unreasonably difficult to cancel through the proper channels, not for your convenience in avoiding payments you've agreed to make.

I am aware it is routine now but at the time it happened I was under a lot of stress, was a lot younger and had never experienced it so it could not have happened at a worse time. I posted about this before and the card had actually expired like 2 months before and Netflix threatened to cut off service and actually did. So after weeks of no Netflix and I had lost my job and had a few dollars to my name out comes a Netflix payment from the last of my food money. I properly closed my account and have felt a little jaded since. Also to follow up I am in a good job since and things are a lot better. But I don't forget the day I realized I had nothing to eat but was able to watch "Friends" reruns lol.

The incentives for the service provider are bad, the incentives for the payment provider are not. Thus cancellation should be handled through the payment provider.

But cancelling the payment doesn't mean you cancelled the subscription. You might still owe the money. Unlikely some company will go to court for $20. But for larger amounts it's not impossible.

And I guess now with MasterCard signing up for a trial does not mean I entered a subscription. And for the record I did not owe netflix anything as they bill first

Your guess is wrong. When you sign up for something, your agreement with the provider will be governed by the contract you make with them. MasterCard are not a legislative or judicial body, and we should be very wary of allowing organisations like that with monopoly/oligopoly control of such a fundamental aspect of the market to exercise quasi-judicial powers.

I had the opposite experience with Uber just recently - my card expired, and I tried to enter the new card (same number, different verification code and different expiry) and the Uber site rejected it complaining that the card had expired. I tried mobile app, desktop website, couldn't find any way around it. The site wouldn't let me delete the old expired card either.

I found I actually had to track down a third credit card from someone else, add that, delete the old one, add the second one, and then delete the third one. For some startup I might expect that, but it's surprising to have to manage my billing this way for one of the most prominent apps on the planet.

I just checked the Android app, there was an option to edit the credit card (Payment, click card, top-right menu, edit. Delete is in same place). That seems to allow changing expiry date, CVV and country.

Well for me it was the opposite, I had a lot of services attached to the same card and when I got a new card it was such a nice feeling that I did not have to go through the trouble of updating each of them with new card information.

It's UX failure.

PayPal and Apple's Store show me a list of all services that are authorized to pull money from my account.

CCs don't. You may have to do a nontrivial amount of research (or at least worrying) to ensure that everything is accounted for by the next charge cycle if you were to switch CC numbers without charge forwarding.

If CCs did have a paradigm of services authorized to re-bill you, then we wouldn't have people changing CC numbers to "reset" their re-bills nor to avoid future pulls from their account. But since CCs offer a UX clusterfuck, people will often find the need to clean the slate.

When I got a new card they "helpfully" sent the new number to Redbox, who then charged me a late fee when the thieves who originally skimmed my card didn't return the movie they "rented".

Assuming you weren't on a trial, that's actually pretty useful. They should ask though.

Depends on the payment provider and card network but actually it's fairly common nowadays. Stripe has had this for a while. https://stripe.com/blog/smarter-saved-cards

I’ve found that cancelled (because you’re issued a new one) or expired cards will tend to keep working at online merchants where the card was saved, even though they presumably won’t work at point-of-sale cardreaders.

Ideally you should have both features. What if you auto-paid bills with your card?

I nearly had my car insurance cancelled after the card I bill it to every 6 months was compromised and reissued. One day, a notice of cancellation appeared in my mailbox. I simply forgot about updating the card with them when I went through my list of merchants. Fortunately, a phone call fixed everything and I didn't end up with a lapse in coverage.

An automatic update of my info would have saved me a quite a bit of anxiety.

This is a lovely consumer-empowering move. Every service should be cancellable without going through a Rentention Specialist.

I will plug a service I use (no other relation): privacy.com. It creates credit cards with pre-set spending limits, one-time or recurring. 1-800-hold-forever? No thanks, I'll just send the email and disengage the money hose.

Hopefully this sort of service becomes widespread, and services become less dependent on high-friction in cancellation.

I like the concept of Privacy.com, but dropped off after signing up because they require linking a bank account through Plaid, which requires you to hand over your online banking credentials, which makes you liable for any fraudulent charges to the account according to the policy of most banks, and gives them access to all the confidential financial information available from your banking dashboard.

A routing number + deposits verification system still gives push/pull access, but offers recourse in the case of fraud, and doesn't expose all of your financial history in the process. It's a tried and true system used by many other reputable online payments businesses. It amazes me that they still don't offer routing number based verification as an alternative, quite ironic considering that the company has the audacity to name themselves Privacy.

Final was a much better product in that regard, because it was a credit card, so you could pay from your bank's bill payment page in a push-only manner without giving away any access whatsoever to your bank. Plus the rewards were much better, and you get access to 30 days of float on your purchases by nature of it being a credit card. Too bad the company behind it was acquihired by Goldman Sachs: https://www.fastcompany.com/40523758/goldman-sachs-buys-cred...

I'm still hoping something similar pops up again eventually.

Hey there! One of the Privacy.com cofounders here.

I hear you on the login concern. We've been rolling out alternative flows (including micro-deposits). If you're open to giving us another shot, drop me a note bo@privacy.com, and I'd be happy to set you up.

I'll also point out Teampay.co that creates single-use CCs (with specific limits) through Slack similar to "I want to buy a MacBook Pro from Apple for $1,845.50". It's been an amazing tool. Also supports recurring weekly/monthly/annual charges and sends a Slack message every time the cards you approve are used.

Is there a non-US alternative to privacy.com?

I have trouble trusting privacy.com when they want my bank account information up front. I see them as just a ticking time bomb waiting to be hacked.

Hey there! One of the Privacy.com cofounders here.

I hear you on the login concern. It was something we launched with and releasing new bank flows is tricky, so we've been doing so slowly.

That said, we do have alternative flows (including micro-deposits). If you're open to giving us another chance, drop me a note (bo@privacy.com), and I'd be happy to set you up.

Is that fairly recent? I remember when I last tried to sign up I was kind of blind sighted by it just asking for banking information without prior knowledge.

I’ll probably give you guys another shot. Although I’d still put a mention of how to fund your account on the homepage.

Yeah - that makes sense. We're working this into our FAQ / help desk copy, but it should be more prominent.

We're releasing it slowly for risk management reasons (so not everyone sees it). Happy to activate it manually on your account though if you'd like.

Presumably, the merchant I'm dealing with gets enough information about me to identify me. Couldn't they maintain a "blacklist" of people who use Privacy cards?

Privacy works by buying large blocks of gift card numbers and issuing them on demand. A vendor can (and some do) reject gift cards. For those that don't, you can use any billing name/address you'd like and the cards will verify. Privacy uses the car number + expiration + cvv2 code to validate the card. I've had a single merchant reject a purchase because I used "${merchant_name} Customer" as the billing name. I also us a blackhole mailing address to avoid the seemingly natural inclination of various vendors to send paper mailers that I don't want.

Hell, I have enough trouble with my normal cards being rejected by US/UK services (I'm in Australia), let alone cards that may give me a higher "risk score" with merchants.

From the link it does not look like anything changed.

There will be more communication from the vendor to the buyer. That's all.

I welcome Mastercard's move at the issue. If you do give your c/c number for free trials then this is probably most useful.

Aside from that, I don't think I've ever given my c/c number for any "trial period" offer. I've mostly ever used the usage of that scheme as a red flag to steer away from the business before even considering signing up for anything.

This is not merely because I'm lazy and I don't want to even think about remembering to cancel but because I probably wouldn't want to use such a service at all. The shabbiest businesses are heavily infested with this sort of trickery, but even some good businesses have followed. It doesn't bring any value to the user except one more place where you c/c details can leak away, one more thing to remember and potentially an extra charge that will just upset you.

Trial periods can be implemented without a credit card if you really want to.

That's correct when you're a business but not when you're dealing with consumers. Some of the latter will have no qualms creating new email addresses to "renew" their trial periods, effectively giving you free riders and bunk operational stats.

Frankly if your paid-tier is so underwhelming that people would 'bunk off' and keep renewing free trials then I think your offering sucks.

Look at current Flickr, trying to force users into a one-size Pro membership. They're not listening to light users who won't pay $50 + taxes + currency conversion fees to get 'stats and partner offers'. Instead people are creating multuple accounts and storing 999 photos in each, for free. Flickr should be in that space with $10 Basic accounts

Frankly if your paid-tier is so underwhelming that people would 'bunk off' and keep renewing free trials then I think your offering sucks.

If you've never run a business in this sort of industry, you would be truly amazed at the lengths some people will go to just to save a few bucks.

At an early stage of one of my businesses, the founders were literally sleeping in shifts because a small group of people was creating new accounts 24/7 and trying to scrape our entire offering piece by piece to work around the caps on individual accounts. So apparently our offering was good enough for them to try to clone all of it and presumably set up a copycat site, yet by your argument it was also "underwhelming" because they didn't want to pay anything for it.

Sure, there are businesses that need better pricing. There are also people who will go through extraordinary efforts to get something for "free" (ignoring the cost of their efforts). I'm fairly sure that if you had a service that changes $1 to $2 that you would have people figuring out how to not give that $1.

That's true, but those people would most likely never be paying customers. If you could get 10% of the freeloaders to become paying customers by adding a lower price bracket that would be a win for the business.

If that was the case, they'd email you a few days before payment was due to remind you.

Twice I've been stung for that - they're silent for the month, but as soon as you cancel (after navigating their dark patterns) they start the email bombardment.

Requiring payment details for a "free trail" is a huge red flag for me now - simply because it tells me what type of company it may be.

Requiring a cc for that is the wrong solution.

If you've anything better to offer, methinks a gazillion marketers, designers, and SaaS developers out there will be all ears open. Here's the dilemma in a nutshell:

- If you don't give full access to what you're offering during the trial period, would-be users won't get a feel of what they might be losing out on when the trial runs out.

- If you do give full access during the trial period, but don't require some kind of hard to get unique enough identifier, a non-negligible users will create new accounts ad nauseam.

(Alternative unique identifiers could be SSNs or ID cards or physical mail addresses. But these are all non-starters. And phone numbers and emails are free for all practical intents.)

It often is very easy to limit the usefulness of a trial version without impacting the trial at all.

The negligible part is the cost of the freeloaders, there can also be value in freeloaders. They help spread the word and keep up the good word and they might convert rather than going to a competitor. They also represent a good opportunity to show good will.

The non-negligible part is the lost revenue from performing such shady practices as requiring a cc / phone number. If you require that for a trial I will perform extensive research of your competitors. And if desperate enough might consider you after that if nothing else was up to par.

If you allow me to sign up for a trial without an email that is very positive and shows me that you respect your users. That is very appealing.

And very reasonable, because the sole reason for anyone to ask for an email is so they can send spam to it afterwards. Which of course shows me that you do not respect your users.

> (Alternative unique identifiers could be SSNs or ID cards or physical mail addresses. But these are all non-starters. And phone numbers and emails are free for all practical intents.)

Can you speak more to your comment that phone numbers are essentially free? I know with something like Google voice you can get one free number (which still needs to be associated with a non-GV number). How would you get many phone numbers for free?

The top Google result for free phone number yields, for me, a PAYGO internet phone service that offers a number for no monthly costs. I can't imagine they're the only one doing so. And even if there's a limited number of such services, I'd be surprised if a number of other internet phone operators don't allow you to change your number for free or very cheaply.

Could you provide a link to the service you are talking about? I can't find any without a monthly fee of some kind.

Also, the original comment specifically mentioned free phone numbers, not cheap or otherwise not-free numbers.

The thing is there are already multiple services offering endless virtual CC numbers. This doesn't work at all as an unique identifier. It just adds drag.

That's why you don't accept things like prepaid cards for subscription services.

What's a better solution?

I have a CC that let's me generate a temporary number with a spending limit, a specified expiration date, and whether or not to allow recurring payments. That's the only one I use to sign up for "free" trials, because I don't even have to remember to cancel. The company will remind me to cancel when the can't collect payment!

May I ask you which company is this?

Bank of America MasterCard. ShopSafe feature. Not sure if all BOA cards have it though.

Unless I'm misreading it, the title of the HN link and the article's meaning don't match.

"Mastercard will stop free trials from automatically billing once they're over" is not the same as "merchants will be required to send the cardholder [a message] with explicit instructions on how to cancel a trial."

The former implies you can't do recurring payments where the initial payment was a non-capturing authorization. The latter implies, well, mastercard expects you to get an email from your vendor (e.g. your newspaper or whatever). I suppose said email could be as obtuse as "See website for subscription information".

From the article: "The rule change will require merchants to gain cardholder approval at the conclusion of the trial before they start billing".

It will be interesting to see what kind of scandalous language/tactics merchants will use to trick you into offering approval.

But how?

Asking the customer to confirm by call, text, or email

The first paragraph suggests you'll need to explicitly aurhorise the first payment.

The third paragraph suggests you'll just receive cancellation instructions before the first payment.

The former would be a massive improvement. The latter is similar to what most (sadly, not all) companies do already.

Not sure which is the case. Anyone got a better source?

Yes. This was my same thought. So what if they will send you instructions to cancel? As petilion (https://news.ycombinator.com/user?id=petilon) mentioned here (https://news.ycombinator.com/item?id=18927948) the instructions are designed to make you give up the cancellation process.

The right mechanism should be to request explicit authorization.

The whole credit card payment system is built on another legacy system (we have emboss letter on credit card because of compatibility with a zip-zap machine!) so having explicit authorization consent for recurring payment is probably not going to be as easy as it seems. The last time payment industry tried to do something that resembles an explicit user consent, it resulted in the 3-D Secure system, which is horrendous and not even secure.

The last time payment industry tried to do something that resembles an explicit user consent, it resulted in the 3-D Secure system, which is horrendous and not even secure.

Meanwhile, merchants in Europe are looking forward to the new Strong Customer Authentication rules under PSD2 that will come into effect later this year. At least it will be interesting to have hard data on how much damage that causes and whether the damage is worse than the cost of fraud it will supposedly prevent.

AFAIK the new Strong Customer Authentication will be based on 3-D Secure 2, which as far as I know is basically bundling a couple of existing verification method (e.g. AVS, Address Verification System) under a new scheme and fallback to 3-D Secure authentication if the trust level isn’t met.

The issue is that, well, the whole scheme is designed to protect the merchant (via liability shift) and not the user, and we still have to trust the bank to “verify” us (might not be a big problem in EU, but in Asia it’s still common to have OTP code over SMS or even... a 6 digit passcode)

This is probably enforced at the policy level rather than systematic, like many other things in the credit card industry. The likely implementation of this, is that the merchant will be liable for chargebacks if they can't prove that the they've sent the consent email or text message.

Usually a recurring transaction has a different indicator flag set (ISO 8583 field 22, IIRC), and AFAIK subjected to a different liability profile than a standard e-commerce transaction. So I believe this has more impact on the merchant side than a customer.

Disclosure: I (used to) work in credit card payment industry. I have not read the details on this one, though.

And now all the companies will charge you 1 cent for the "free trial" so that the card can be "activated" and then refunded.

I see that already from many including our country's national rail company.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact