Credit Card Validation

MitchellO · 08-11-2008, 06:37 PM

I ordered a new screen from the MP3Car store last night, and this morning I have an email asking me to send in a verification form for the credit card I used.

Last time I ordered stuff from MP3Car (about 8mths ago) I never got such an email. I don't see why it is necessary for me to send photocopies of my licence and credit card.

I'm using American Express, who have many checks and balances in place to prevent fraud, and I've never been required to submit private documents to an online store to have my payment processed.

Can someone please explain why I received this email?

Quote:

Thank you for your first order. Per standard policy we ask that with your first international order you complete a credit card authorization form. Please fill out the form completely, found at http://www.mp3car.com/store/cc_auth.html and upload it to http://www.mp3car.com/sendfile.html.

Please make sure to complete the entire form, so that we can process your order right away!

Your credit card information will be safe and secure, viewed only by the Mp3Car staff. Your credit card information will be used solely for the purpose of verifying your credit card information and order request.

Thank you in advance for you assistance. We look forward to meeting your car computing needs!

Heather
Mp3Car Manager

It's not my first order from you guys anyway, it's my second.

ODYSSEY · 08-11-2008, 09:03 PM

I think their form is in violation of Visa/Mastercard agreements.
I am not sure about Amex. But for Visa/Mastercard you can not require a form of ID as a requirement for accepting a card.

I am guessing they are trying to cut down on fraud/chargebacks, mainly international.

I would just send the form, but without a copy of the ID or card. But I question how secure their file send page is. They should also remove the instructions telling customers to EMAIL a scanned copy, as that is VERY insecure.

They should be using AVS and VCodes.

MitchellO · 08-11-2008, 09:07 PM

Exactly my point, the credit card companies are supposed to provide the protection, not some scanned form that has to be sent through an unknown channel. This is the security info for that page:

I still want to purchase my screen from MP3Car, but I won't be sending an insecure form with my personal information on it.

MitchellO · 08-12-2008, 09:01 AM

Still heard nothing.

MitchellO · 08-12-2008, 10:59 PM

Come on guys, what going on?

NiSlo · 08-12-2008, 11:57 PM

Interesting. I've bought stuff from the store before and it was never a problem. It' obviously a new thing.

I'd suggest replying to Heathers email directlty

MitchellO · 08-13-2008, 12:37 AM

I did, no response there yet

Heather · 08-13-2008, 12:08 PM

MitchellO - i have not seen an email from you at store@mp3car.com, otherwise I would have responded sooner.

Mp3Car has requested credit card authorizations from customers for years in order to decrease the number of fraudulent order we receive. Please understand tha we receive fraudulent orders daily.

Without getting into the details of how we process credit cards, it is at times necessary for us to have the documentation we requested from you. I am the only one that sees this documentation and you upload it to a secure location.

If you had placed another order, I either missed this information, or you used a new account, in which case I was unaware that you had ordered from us before.

This is a really important thing for us to do, in order to protect our customers as well as ourselves. If we do not do this, we risk loosing thousands each month to fraud.

Heather

Heather · 08-13-2008, 12:16 PM

Quote: Originally Posted by ODYSSEY

I think their form is in violation of Visa/Mastercard agreements.
I am not sure about Amex. But for Visa/Mastercard you can not require a form of ID as a requirement for accepting a card.

I am guessing they are trying to cut down on fraud/chargebacks, mainly international.

I would just send the form, but without a copy of the ID or card. But I question how secure their file send page is. They should also remove the instructions telling customers to EMAIL a scanned copy, as that is VERY insecure.

They should be using AVS and VCodes.

Hmm, okay I will look into this. We were advised to do this, and no credit card company has complained when we submit this information, in fact they have not taken an authorization without both a picture id and a credit card.

DarquePervert · 08-13-2008, 01:46 PM

Having dealt with retail software & credit card processing, it sounds to me like the mp3car.com store is woefully behind the times in that area.

Honestly, I'd hate to see your per-transaction fees. I'm willing to bet they're comparatively through the roof.

MitchellO · 08-14-2008, 10:14 PM

I replied to the email address the verification request originated from, carnetix@mp3car.com

I didn't use a new account, I used the same one I used previously. I haven't received one of these requests before, and if they is now a requirement to purchase items from MP3Car I will have to cancel my order and purchase elsewhere. I have no faith in the security of the submission form, and will not be sending the documents requested. I have never had to do this on any other online store.

EDIT: I would like to cancel my order please, I'm not interested in messing around with this stuff.

HiJackZX1 · 08-15-2008, 01:56 AM

Never in my life have I heard of this before. The implications that can be caused to the buyer are enormous. Image if some sleezy worker gets his hand on this info and then takes the persons identity. I use VISA with my transactions and have never heard of such a thing. I have also bought from MP3Car and never had to do that. Why do you think they make the security code numbers on the back of the card. Also that is why they have voice authorization, sounds like MP3Car is to lazy to pickup the phone and do a voice authorization. It seems like the MP3Car is digging themselves into a deep hole with all the bad customer service and now this. If I had to do this I would feel like I'm a person trying to prove I'm no criminal. I work at a HOTEL and we take in a ton of international authorizations, which we verify over the phone, and or through the credit card terminal with our merchant services provider. Only time we ever ask for an ID is if the person is making a reservation on someone Else's behalf and will be taking care of all the charges, but not be present.

2k1Toaster · 08-15-2008, 02:24 AM

Just to defend a bit, I have seen this and do this on a daily basis.

I deliver chinese food for a small family owned restaurant. All delivery orders that pay with credit card we run through the machine by typing it in manually. Credit Card company policy says that if you manually type in the numbers and expiration date rather than physically swiping the card through the reader, if there is a dispute over the charge you lose unless you have a copy of the card. So we type in the number, charge goes through. We make the food and I deliver it. They eat it, then call the credit card company and say "I never ordered food", credit card company reverses the charge. We are out food, my time, and money unless we can proove it. Only acceptable proof by the credit card company for us is a imprint on special paper the bank distributes. Those oldschool machines that you put the card in and the carbon paper ontop, and roll the bar over and it makes an imprint. That thing. Yes I have to carry that with me on every delivery because of fraud. If we didnt do the imprint, we would loose a lot. There are a lot of dishonest people here that will scam anyone. Happens to lots of people, but this is a way to prevent it. To us it doesnt happen anymore since we started swiping, but even before it was like $50 lost. I can imagine that a big ticket item on the mp3car store would really hurt if it was stolen (which essentially is what happens when you take it and then say you never ordered it).

So it really isnt a big deal, if you feel it is unsafe, send the proof in by certified mail or something.

ODYSSEY · 08-15-2008, 03:24 AM

Quote: Originally Posted by 2k1Toaster

Just to defend a bit, I have seen this and do this on a daily basis.

I deliver chinese food for a small family owned restaurant. All delivery orders that pay with credit card we run through the machine by typing it in manually. Credit Card company policy says that if you manually type in the numbers and expiration date rather than physically swiping the card through the reader, if there is a dispute over the charge you lose unless you have a copy of the card. So we type in the number, charge goes through. We make the food and I deliver it. They eat it, then call the credit card company and say "I never ordered food", credit card company reverses the charge. We are out food, my time, and money unless we can proove it. Only acceptable proof by the credit card company for us is a imprint on special paper the bank distributes. Those oldschool machines that you put the card in and the carbon paper ontop, and roll the bar over and it makes an imprint. That thing. Yes I have to carry that with me on every delivery because of fraud. If we didnt do the imprint, we would loose a lot. There are a lot of dishonest people here that will scam anyone. Happens to lots of people, but this is a way to prevent it. To us it doesnt happen anymore since we started swiping, but even before it was like $50 lost. I can imagine that a big ticket item on the mp3car store would really hurt if it was stolen (which essentially is what happens when you take it and then say you never ordered it).

So it really isnt a big deal, if you feel it is unsafe, send the proof in by certified mail or something.

I understand the requirement for imprint on manual transactions. In fact, 60% of my customers pay by credit card and 60% of those are manual (phone/Internet).

I have no problem with someone making a imprint of my card, but IMHO that credit card authorization form should include the items sold (or at minimum the order number) and total price. If you wanted to (or a bad employee) you could charge my credit card for anything, then when I file a charge back, all you need to do is produce that form.

The issue is you can not refuse a transaction if the card holder refuses to provide ID. It is in VISA/MC merchant agreement. I believe AMEX and Discover are the same, but I would have to check.

The next issue is the send file page is not on a secure server. So how secure really is it? The file is not even keep/sent on mp3car's servers, but yet uses "https://www.sendthisfile.com/"

Another issue is that mp3car suggests emailing the form to them. That is very unwise for both the customer and mp3car.

Also, mp3car should follow up orders than need more verification with a phone call and not just an email pointing to the form.

DarquePervert · 08-15-2008, 07:53 AM

Quote: Originally Posted by 2k1Toaster

Just to defend a bit, I have seen this and do this on a daily basis.

I deliver chinese food for a small family owned restaurant. All delivery orders that pay with credit card we run through the machine by typing it in manually. Credit Card company policy says that if you manually type in the numbers and expiration date rather than physically swiping the card through the reader, if there is a dispute over the charge you lose unless you have a copy of the card. So we type in the number, charge goes through. We make the food and I deliver it. They eat it, then call the credit card company and say "I never ordered food", credit card company reverses the charge. We are out food, my time, and money unless we can proove it. Only acceptable proof by the credit card company for us is a imprint on special paper the bank distributes. Those oldschool machines that you put the card in and the carbon paper ontop, and roll the bar over and it makes an imprint. That thing. Yes I have to carry that with me on every delivery because of fraud. If we didnt do the imprint, we would loose a lot. There are a lot of dishonest people here that will scam anyone. Happens to lots of people, but this is a way to prevent it. To us it doesnt happen anymore since we started swiping, but even before it was like $50 lost. I can imagine that a big ticket item on the mp3car store would really hurt if it was stolen (which essentially is what happens when you take it and then say you never ordered it).

So it really isnt a big deal, if you feel it is unsafe, send the proof in by certified mail or something.

I know about the "knuckle-buster" units, and have had to provide them to clients when their electronic processing was down.

Understand that delivering Chinese food is one thing. The low-end of credit card processing is very simple, using one of those dial-up units where you punch in the CC number. There's probably a swipe slot for walk-in customers.
The delivery-person has no way of knowing whether the card is stolen or fraudulent or not. They deliver the General Tso Chicken, get the card imprint, and leave, hopefully with a nice tip.

However, we're talking about a technology company with an online CC processing system integrated into their web-based store. Every online CC processing system I've seen uses multiple layers of verification, including ZIP code and CVV code. The idea that they require a copy of the card & a photo ID is pretty ridiculous in this day and age, even for international orders.
Shoot, many gas stations require you to punch in your ZIP code for verification, just to make sure the card isn't stolen.
CC fraud and ID theft is so common anymore, that it's necessary for the protection of both the merchant and the consumer. So the developers respond and add layers of security to their systems.

Or maybe it's NOT integrated into the store, and some flunkie has to manually authorize each CC charge on one of those budget units.... If that were the case, I'd lose what little respect I have for the mp3car management that I retain. That would be nothing short of pathetic.

User Name		Remember Me?
Password