Back Order site collecting credit card CVC - Domain Names forum at WebmasterWorld - WebmasterWorld

Forum Moderators: buckworks & webwork

Message Too Old, No Replies

Back Order site collecting credit card CVC

How are they getting away with this?

john_k

2:00 pm on Jul 28, 2005 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

I haven't used my account at a certain domain back order company for about 6 months. I logged in very early this morning and was prompted to update my account by providing credit card information. One of the fields of information was the CVC code from the back of the card. That would be the one from which merchants are expressly forbidden from storing.

I wasn't making any purchase. Hadn't tried to back order any domain. I hadn't even done a search for a domain name. I can only presume that they intended to store the CVC number.

This isn't a small back order company. It is a large, well known company. One that is also tied to a large (very large) domain registrar.

Has anyone else run into this and thought it was contrary to Visa and MasterCard contracts? If anyone in the know reads this, are they actually storing that CVC?

I sent an email to them asking if/why they were collecting the CVC, but I have not yet received any reply.

[I am assuming that it is not okay to mention the actual name of the company. Webwork - if it is okay please say so and I will post the name as that might help]

gpmgroup

2:50 pm on Jul 28, 2005 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

I was issued with a new credit card (old one had expired). I received an email from a very large payment processing company requesting I update my details for no interruption of service. When I added the new details I was asked for the CVC code even though I wasn't making a transaction at the time.

So they must be storing it too or they required it to validate the other new details.

nativenewyorker

4:32 pm on Jul 28, 2005 (gmt 0)

10+ Year Member

They may not be storing the CVC, but putting a temporary authorization on your card for a small amount like a dollar. That way, they can authenticate that card number for future use without storing your CVC or requesting your CVC when they auto-bill you.

john_k

4:40 pm on Jul 28, 2005 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

I had thought about it, and that is about the most benign use I could think of. However, I would guess that even that is against card issuer policies. The Authorization reduces your available credit. So even for a dollar or a few pennies, they should, at a minimum, put a notice on the page that this is what they are doing. Otherwise they are effectively issueing a transaction against your card without your permission.

Also, I didn't mention in my original post that I tried entering a bogus CVC number and it was rejected. So they are definitely doing this at a minimum. (I don't think that there is a transaction type just for verifying a card)

I still haven't gotten a response back from them - If/when I do receive one I will post any relevant information.

john_k

3:56 am on Jul 29, 2005 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Okay, I received a response from them. They are doing as nativenewyorker suggested and running a $1.00 authorization to verify the card info. Apparently, when you are creating a new account, there is some type of explanation to this effect. However, if you have an existing account that never had the CC info cached, the page doesn't have this notice. They have promised to remedy this and add the notice.

Thanks for everyone's input.