Slashdot Mirror

← Back to Stories (view on slashdot.org)

GameStop, Other Retailers Subpoenaed Over Credit Card Information Sharing

Posted by Soulskill on from the you-can-trust-us dept.

New York State's Attorney General, Andrew Cuomo, has subpoenaed a number of online retailers, including GameStop, Barnes & Noble, Ticketmaster and Staples, over the way they pass information to marketing firms while processing transactions. MSNBC explains the scenario thus: "You're on the site of a well-known retailer and you make a purchase. As soon as you complete the transaction a pop-up window appears. It offers a discount on your next purchase. Click on the ad and you are automatically redirected to another company's site where you are signed up for a buying club, travel club or credit card protection service. The yearly cost is usually $100 to $145. Here's where things really get smarmy. Even though you did not give that second company any account information, they will bill the credit or debit card number you used to make the original purchase. You didn't have to provide your account number because the 'trusted' retailer gave it to them for a cut of the action." While there is no law preventing this sort of behavior, Cuomo hopes the investigation will pressure these companies to change their ways, or at least inform customers when their information might be shared.

20 of 117 comments (clear)

  1. PCI? by harlows_monkeys · · Score: 5, Interesting

    There may be no law against it, but how does it comply with PCI security requirements? Shouldn't those companies be losing their permission to accept credit cards?

    1. Re:PCI? by ducomputergeek · · Score: 4, Informative

      Depends on who is actually running the charge. If it's B&N, for instance, who runs the transaction and then gives the $$$ to the 3rd party minus B&N's kickback, then there is really nothing there against PCI rules. If B&N is giving the 3rd party client all the card info, then there could be some problems. But even then, the big no-no is how the CVV code is handled. So long as it isn't stored anywhere outside of ram and that it is discarded once the transaction is made, the PCI folks don't give a damn as far as I can tell.

      I'll give an example. We run a system where each one of our merchant has their own processing account. Usually we charge the merchant a flat annual hosting fee, but some of our clients wanted to move to a different model where we added in a $1.00 per order service fee to their customers instead of paying the annual rate. Our clients cited the economy, blah, blah, blah, and it's not something we wanted to do, but it was either that or loose the revenue from that client period. So we basically run card twice, once under our gateway for the $1.00 fee, then again under the merchant's gateway for the total bill.

      --
      "The problem with socialism is eventually you run out of other people's money" - Thatcher.
    2. Re:PCI? by L4t3r4lu5 · · Score: 5, Informative

      They've lost permission to accept my credit card. I'll shop elsewhere from now just for thinking that I'd allow this, regardless of restitution and new legal protections.

      FALITFA ( http://www.ag.ny.gov/media_center/2010/jan/jan27a_10.html ): Barnes & Noble, Orbitz.com, Buy.com, Ticketmaster.com, MovieTickets.com, FTD.com, Shutterfly.com, 1-800Flowers.com, Avon.com, Budget, Staples.com, Priceline.com, GMAC Mortgage, Classmates.com, Travelocity, Vistaprint, Intelius, Hotwire.com, Expedia/Hotels.com, Columbia House, Pizza Hut and Gamestop/EB Games were subpoenaed.

      --
      Finally had enough. Come see us over at https://soylentnews.org/
    3. Re:PCI? by Hognoxious · · Score: 3, Interesting

      Is the customer informed of this charge before completing the sale? It seems to me that the honest and transparent thing to do would be to add the service fee to the price.

      I like to know what I'm paying for, and how much I'm paying for it. I don't think that's unreasonable. Even airlines[1], who are notorious for adding x number of random surcharges to the advertised price give you an itemised breakdown before you commit.

      [1] I mean reputable ones, not Sleazyjet or Tryonair.

      --
      Confucius say, "Find worm in apple - bad. Find half a worm - worse."
    4. Re:PCI? by Anonymous Coward · · Score: 3, Informative

      Depends on who is actually running the charge. If it's B&N, for instance, who runs the transaction and then gives the $$$ to the 3rd party minus B&N's kickback, then there is really nothing there against PCI rules. If B&N is giving the 3rd party client all the card info, then there could be some problems. But even then, the big no-no is how the CVV code is handled. So long as it isn't stored anywhere outside of ram and that it is discarded once the transaction is made, the PCI folks don't give a damn as far as I can tell.

      Ahhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh!!!!

      There, you just made a PCI auditor scream. Are you happy?

      If you have full card numbers that is the problem. There are 3 levels of CC data and they get more valuable as their completeness increases. CC#, CC# + CCV, Full Stripe. Full stripe is the most valuable as then you can print new cards. Also if you have ever had the strip on your card not work and had the cashier just punch in the # by hand (ever seen them put in a CCV after they punch in the #?) you know that just a printed card with a "bad" stripe and fake CCV will work at some stores.

      All 3 of these MUST BE ADEQUATELY PROTECTED! If your PCI folks only care about CCV... Punch them in the junk for me and for your upper mgmt.

    5. Re:PCI? by Lumpy · · Score: 3, Informative

      by taste.

      --
      Do not look at laser with remaining good eye.
    6. Re:PCI? by fatalwall · · Score: 3, Informative

      Actually he is asking for them to provide information on the method that perform this action. Because it might be implemented in a way that IS illegal.

      Part of his job is to sniff out organizations or businesses that appear fishy. Then to request information in regards to it or subpoena it if they refuse and its fishy enough.

      They do the same thing all the time to the phone companies when they hear of a practice that does not seem on the level.

  2. So if I use some one else's credit card by ImNotAtWork · · Score: 5, Interesting

    with out authorization it is credit card fraud among other things that a DA will throw at me. If a business gives my information to a third party and the third party charges my credit card then that's just sharing? I need to start up a couple of businesses.

    --
    open source sub sim. I might start coding again for this. http://dangerdeep.sourceforge.net/contribute/
    1. Re:So if I use some one else's credit card by Hognoxious · · Score: 3, Insightful

      I disagree. If I authorize a 20 buck one-off charge on whatever.com, I'm not authorizing a 30 buck per month charge from somethingelse.com, whatever the small print says. Just because it's there doesn't make it enforceable.

      --
      Confucius say, "Find worm in apple - bad. Find half a worm - worse."
    2. Re:So if I use some one else's credit card by Svartalf · · Score: 3, Insightful

      Yes. I strongly suspect that these things fall under "bait-and-switch" laws on the books.

      Just because you agreed to it doesn't make the "it" any less fraudulent.

      The main problem is...for many, "illegal" really means it's against the law if you're caught out doing it and someone calls you on it.

      --
      I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
  3. Legal but dishonest by Shrike82 · · Score: 3, Interesting
    From TFS:

    While there is no law preventing this sort of behavior

    Well that, right there, would appear to be a fairly large gap in the legal system. Common sense, decency and good old fashioned right and wrong clearly indicate that there should be a law against this.It reminds me of a scam that a site called RedSave.com ran in the UK. Hidden way, way down in the tiny small print of their Terms and Conditions when you made a purchase was a line that stated "We will charge you £20 every month unless you contact us to opt out". Apparently this isn't against the letter of the law, but it sure as hell isn't a good business practice and isn't in the interests of the consumer. It, and the situation from TFA, are examples of cynical, money-grabbing exploitation of customers. One can only hope that a sensible judge has the balls to come down really hard on them, discouraging others from trying these sorts of practices in the future.

    --
    You can advertise in this sig from as little as £99.99 a month!
    1. Re:Legal but dishonest by Archon-X · · Score: 5, Informative

      Both VISA and Mastercard have very explicit regulations on data sharing, and how 'Cross Sales' are conducted: they both prohibit it in their merchant agreements.
      VISA is somewhat lax on its enforcement, preferring to take a case-by-case approach if there is abuse, however has been cracking down significantly on this type of behavior of late: http://corporate.visa.com/media-center/press-releases/press969.jsp

      Mastercard will fine and terminate merchants it finds passing CC information between third parties. Fines normally start at 25k per offense.

      The storage of CC data is another highly regulated procedure. 'Normal' merchants are prevented from storing CC data, and to even handle it, normally have to become PCI-compliant.
      The storage of CVV data is very, very regulated - You have to have PCI-level 3 compliance - something typically reserved for merchant processors themselves.

      To say that no regulation exists is somewhat uninformed.

      However, even with the above all in place, as these guys are all using merchant accounts, they're going to see all the CC/CVV information in the flux; as presented by the article, it's very common to use this data, if the merchants can 'stay under the radar'.

  4. For once ... by nospam007 · · Score: 3, Insightful

    ... it seems like PayPal looks good in comparison.

    1. Re:For once ... by Lumpy · · Score: 3, Informative

      Actually they do offer one great function. One time use credit card numbers. these completely bypass any scumbag tricks like this. The credit card number I give a site is good for only the amount I set the number for. Paypad had this feature 3 years ago and I used it on a lot of "iffy" sites. http://www.paypal.com/cgi-bin/webscr?cmd=xpt/cps/account/VDCFrequentlyAskedQuestions-outside

      They call it the virtual debit card.

      --
      Do not look at laser with remaining good eye.
  5. Social Games and the Federal Probe by eldavojohn · · Score: 5, Informative

    with out authorization it is credit card fraud among other things that a DA will throw at me. If a business gives my information to a third party and the third party charges my credit card then that's just sharing? I need to start up a couple of businesses.

    Apparently social gaming is a great business model for this kind of crap. The mentioned retailers get you after you make your purchase but when you need more resources in Farmville or Mafia Wars on Facebook:

    In games like Mafia Wars, Farmville, YoVille and Vampires Live, you know, some of the major sources of all those garbage announcements cluttering up your Facebook, players compete to complete missions and level up. By leveling up, you can complete more difficult missions and fight off weaker opponents. You can wait for your various energies to regenerate naturally over time, or you can purchase with real money in-game boosts. Or, you can complete various lead generation offers, many of which are of the "answer page after page of questions and opt in and out of receiving various kinds of spam" variety. Some of them install malware and adware that is impossible to remove. And some of them secretly subscribe you to monthly recurring $9.99 credit card charges.

    Don't ever put your credit card information into Facebook or a Facebook app. Social Media is rife with crap like this. Right about now we should be asking when we'll get to see the findings in the the federal probe that set out to address shoddy "business practices" like this and what is being done about it now that we know about it?!

    --
    My work here is dung.
    1. Re:Social Games and the Federal Probe by jimthehorsegod · · Score: 3, Insightful

      Don't ever put your credit card information into Facebook or a Facebook app.

      Well, no - but I'm no more likely to do that than I am to put my genitals in a meat grinder... I'm amazed that anyone would

  6. What we've known for years.. by goldaryn · · Score: 3, Insightful

    Wow, that's incredible. I find popups and popunders very invasive, so for years I haven't clicked them on principle. I had no idea that it had gotten this far.

    I'm going to print off this article (I suggest you do the same) and find the dopey people that I know (the ones who use IE and think sending chain emails is a good idea), thrust it to them and say: "Don't... click... popups!". If that doesn't wake them up, nothing will..

    If anyone is interested, I posted the other day about the marvels of Privoxy, which stops a lot of ads, irrespective of browser.

  7. Smarmy? by YourExperiment · · Score: 4, Informative

    Here's where things really get smarmy.

    Excuse me?

    Smarmy: unpleasantly and excessively suave or ingratiating in manner or speech

    Perhaps the word you were looking for is one of: deceptive, devious, underhand, sneaky, execrable, abhorrent, hateful, annoying, irritating, enraging, infuriating or inexcusable?

    It's hard to believe that this practice is legal. I give my credit card details to one company, and it becomes perfectly legal for them to sell these details to a completely unrelated third party, simply because I clicked on an advert on a web site?

  8. Yay! by sesshomaru · · Score: 3, Interesting

    This is the best news I've heard in a while. I do tech support for a local Buddhist temple, which has some staff authorized to use corporate credit cards to buy supplies for the temple.

    Well, more then once I've been called in to help out with the mysterious charges on their credit cards, and it's always because of this scam. These people are both good-hearted and completely unsophisticated, they see someone offering a discount they don't question it. (Recently these scam artists had to change up their fine print so it's easier to read due to lawsuits in other states.)

    The worst thing is it's semi-reputable companies destroying their brands for the sake of getting $10 a month charges out of grandma's checking account. I mean Barnes and Nobel? I used to work for them, I can't believe they've sunk this low.

    --
    "MIT betrayed all of its basic principles."
  9. Re:So let me see if I have this right.... by tlhIngan · · Score: 5, Informative

    "As soon as you complete the transaction a pop-up window appears. It offers a discount on your next purchase. Click on the ad...." So this is something that affects only people dumb enough to click on pop-ups, while those of us with either blockers or the brains to close pop-ups like this when they open are not affected? Internet darwinism at work and working as intended imo.

    Thanks- I was hoping someone would point this out, and I agree with you. It's sad commentary that today's consumers still don't approach every purchase expecting to get burned. Now, before anyone gets up in arms over that statement, let me explain: I don't agree it *should* be this way, but I know that it *is* this way and protect myself accordingly.

    Actually, it can affect you if you don't click the popup too.

    It's a major scam, and it's not necessarily a popup.

    You click "Continue" on your transaction, and the site summarizes your order. Then instead of a continue button, you have a big button that says "Place order - and get 10% off your next!". What you don't see is hidden in the fine print is a link that says "No thanks - just place my order".

    Or, after you place your order, on the thank you page, it'll have a blurb saying "Special offers for your next order" with "Save 10% off your next order!". Hell, the craftier ones put a 10% off discount on your order automatically, and a link hidden at the bottom saying "No, I don't want the discount".

    The nastiest ones though are the ones that require no clicking at all - you done your order, you close the browser while inadvertently NOT clicking the "No" link. By closing the window and not declining, you're signed up anyway. Hell, I bet half of them exist in the terms and conditions of sale, and people blindly check the box saying they agree.

    Basically, unless you read every word of every screen, it's impossible to not inadvertently do it. It's a huge scam and everyone's hiding behind the fine print. And the fact that people love getting discounts, so a 10% off the next order would be valuable.