Slashdot Mirror
GameStop, Other Retailers Subpoenaed Over Credit Card Information Sharing
New York State's Attorney General, Andrew Cuomo, has subpoenaed a number of online retailers, including GameStop, Barnes & Noble, Ticketmaster and Staples, over the way they pass information to marketing firms while processing transactions. MSNBC explains the scenario thus: "You're on the site of a well-known retailer and you make a purchase. As soon as you complete the transaction a pop-up window appears. It offers a discount on your next purchase. Click on the ad and you are automatically redirected to another company's site where you are signed up for a buying club, travel club or credit card protection service. The yearly cost is usually $100 to $145. Here's where things really get smarmy. Even though you did not give that second company any account information, they will bill the credit or debit card number you used to make the original purchase. You didn't have to provide your account number because the 'trusted' retailer gave it to them for a cut of the action." While there is no law preventing this sort of behavior, Cuomo hopes the investigation will pressure these companies to change their ways, or at least inform customers when their information might be shared.
There may be no law against it, but how does it comply with PCI security requirements? Shouldn't those companies be losing their permission to accept credit cards?
with out authorization it is credit card fraud among other things that a DA will throw at me. If a business gives my information to a third party and the third party charges my credit card then that's just sharing? I need to start up a couple of businesses.
open source sub sim. I might start coding again for this. http://dangerdeep.sourceforge.net/contribute/
with out authorization it is credit card fraud among other things that a DA will throw at me. If a business gives my information to a third party and the third party charges my credit card then that's just sharing? I need to start up a couple of businesses.
Apparently social gaming is a great business model for this kind of crap. The mentioned retailers get you after you make your purchase but when you need more resources in Farmville or Mafia Wars on Facebook:
In games like Mafia Wars, Farmville, YoVille and Vampires Live, you know, some of the major sources of all those garbage announcements cluttering up your Facebook, players compete to complete missions and level up. By leveling up, you can complete more difficult missions and fight off weaker opponents. You can wait for your various energies to regenerate naturally over time, or you can purchase with real money in-game boosts. Or, you can complete various lead generation offers, many of which are of the "answer page after page of questions and opt in and out of receiving various kinds of spam" variety. Some of them install malware and adware that is impossible to remove. And some of them secretly subscribe you to monthly recurring $9.99 credit card charges.
Don't ever put your credit card information into Facebook or a Facebook app. Social Media is rife with crap like this. Right about now we should be asking when we'll get to see the findings in the the federal probe that set out to address shoddy "business practices" like this and what is being done about it now that we know about it?!
My work here is dung.
Both VISA and Mastercard have very explicit regulations on data sharing, and how 'Cross Sales' are conducted: they both prohibit it in their merchant agreements.
VISA is somewhat lax on its enforcement, preferring to take a case-by-case approach if there is abuse, however has been cracking down significantly on this type of behavior of late: http://corporate.visa.com/media-center/press-releases/press969.jsp
Mastercard will fine and terminate merchants it finds passing CC information between third parties. Fines normally start at 25k per offense.
The storage of CC data is another highly regulated procedure. 'Normal' merchants are prevented from storing CC data, and to even handle it, normally have to become PCI-compliant.
The storage of CVV data is very, very regulated - You have to have PCI-level 3 compliance - something typically reserved for merchant processors themselves.
To say that no regulation exists is somewhat uninformed.
However, even with the above all in place, as these guys are all using merchant accounts, they're going to see all the CC/CVV information in the flux; as presented by the article, it's very common to use this data, if the merchants can 'stay under the radar'.
Actually, it can affect you if you don't click the popup too.
It's a major scam, and it's not necessarily a popup.
You click "Continue" on your transaction, and the site summarizes your order. Then instead of a continue button, you have a big button that says "Place order - and get 10% off your next!". What you don't see is hidden in the fine print is a link that says "No thanks - just place my order".
Or, after you place your order, on the thank you page, it'll have a blurb saying "Special offers for your next order" with "Save 10% off your next order!". Hell, the craftier ones put a 10% off discount on your order automatically, and a link hidden at the bottom saying "No, I don't want the discount".
The nastiest ones though are the ones that require no clicking at all - you done your order, you close the browser while inadvertently NOT clicking the "No" link. By closing the window and not declining, you're signed up anyway. Hell, I bet half of them exist in the terms and conditions of sale, and people blindly check the box saying they agree.
Basically, unless you read every word of every screen, it's impossible to not inadvertently do it. It's a huge scam and everyone's hiding behind the fine print. And the fact that people love getting discounts, so a 10% off the next order would be valuable.