How to lose customers without really trying...

re: How to lose customers without really trying...

Erling Paulsen — Fri, 16 Nov 2007 03:36:14 GMT

Whoa....

And they wanted you to EMAIL that info back to them?

Somebody needs a lesson in how secure emails are...

Pardon for the snailmail analogy, but anything you don't feel comfortable writing on a postcard should not be put in a email sent across da interwebs.

re: How to lose customers without really trying...

Tal — Fri, 16 Nov 2007 03:46:40 GMT

Actually, this sort of thing is SOP for a lot of retailers, and it's not really their fault. It's what the credit card companies/banks require.

If there is ANY discrepancy with a billing address, the card issuer will flag that account as a possible fraud. Sometimes they'll just put a hold on the account. In brick-and-mortars, they used to ask the retailer to hold the card if there were any fraud flags.

In order for the retailer in this case to continue to process the order in a way that makes the card issuer happy, they have to verify this information.

Given the huge amount of fraud for online retailers, and the fact that they're out a buttload of money in product and work time if they process fraudulent orders (since the card issuers won't actually pay them back for shipped fraud orders), there's no way any online retailer could survive if they didn't do stuff like this.

It sucks, but this is the cost of convenience.

/former card-processing wonk

re: How to lose customers without really trying...

LarryOsterman — Fri, 16 Nov 2007 04:07:51 GMT

In this case, there was no discrepancy. And Valorie offered the transaction # for several previous orders we've placed with them, that was not sufficient.

I wonder what the PCI rules say about asking for this kind of information...

Erling: They did offer to allow us to use PGP to encrypt the emails :).

re: How to lose customers without really trying...

Ian Smith — Fri, 16 Nov 2007 04:26:51 GMT

I have had similar problems ordering from abroad with DVD Empire and DVD Pacific - in one case this was in spite of having faxed the required information when I first placed orders with them. Apparently not placing an order for 12 months was enough for them to expect me to jump through hoops again.

I crossed ThinkGeek off my supplier list a long time ago when I found that unlike other US suppliers they only offer courier delivery and insist on printing this charge on the invoice. For simple t-shirts other companies will happily send Air Mail which typically takes less than a week for a fraction of the cost. In Think Geek's case I ordered three t-shirts and then had to pay more than twice the price I paid for t-shirt and courier delivery in import duty/VAT/and customs duty. If they'd sent by ordinary Air Mail none of this would have been chargeable. When contacted they had no interest in using Air Mail as so many of their competitors do. Bottom line: for those of us in the UK their t-shirts are about four times as expensive as advertised on their web site.

re: How to lose customers without really trying...

Roger Binns — Fri, 16 Nov 2007 04:49:33 GMT

Errr, if you were a bad guy trying to defraud them, how many minutes would it have taken in photoshop to come up with what they asked for? Just like DRM and security theater at the airport, this is the kind of thing that is trivially bypassed by the bad guys and greatly hinders the innocent.

re: How to lose customers without really trying...

Seb — Fri, 16 Nov 2007 05:35:26 GMT

Long ago, I worked for an e-commerce startup and dealt with some of this stuff.

In a lot of cases, the merchant may not care if you've made up the info you send in for verification. If they've gone through the trouble of verifying, they have a MUCH better chance of winning if a chargeback results. That's the real problem here -- if the merchant accepts a charge that turns out to be fraudulent and they haven't jumped through all of the hoops to verify that the charge is authorized (including contacting the cardholder and asking for more information), they're the ones who are going to eat the loss (including fees from the card issuer and the merchandise they shipped to a fraudster). Unless the card is actually physically present for the transaction (which is obviously impossible for online orders), the merchant is very likely to lose any chargeback represenation. Their only defense is if they've done the verification steps and "confirmed" that the charge was made by the cardholder. This costs a lot of online retailers an astounding amount of money. So there's a huge incentive to retailers to force you to verify this stuff. I'm surprised it happens as rarely as it does, to tell you the truth.

re: How to lose customers without really trying...

Alan De Smet — Fri, 16 Nov 2007 07:19:20 GMT

If you paid by credit card, I'd complain to your credit card company. Generally speaking credit card merchant agreements don't allow merchants to refuse valid cards. I'd do it not such much because you want to do business with Think Geek, but because if you don't push back, more and more companies will try this sort of game.

re: How to lose customers without really trying...

Matthew — Fri, 16 Nov 2007 07:22:08 GMT

Wow, that is absolutely ridiculous. Good for you for telling them to go to hell. I'd stop doing business with tme too.

re: How to lose customers without really trying...

JamesW — Fri, 16 Nov 2007 07:56:27 GMT

@Larry

'In this case, there was no discrepancy. And Valorie offered the transaction # for several previous orders we've placed with them, that was not sufficient.'

As everyone else said it's the card issuer that is causing this. There will be some magic cash value over which the retailer will need to get more proof of id. You did say that the order was substantial. It's a pain for the customer. It annoyed me when I had to fax a bunch of id proof to KLM when I was buying airline tickets. It really kills the convenience of buying online!

MasterCard offer merchants a service called SecureCode:

http://www.mastercard.com/us/merchant/security/what_can_do/SecureCode/

This redirects you to a MasterCard page during the transaction, and requests a password from the buyer before allowing the purchase. It works, but so few sites seem to use it that I struggle to remember what my password is!

'I wonder what the PCI rules say about asking for this kind of information.'

I am not familiar with US laws, but surely they can ask for whatever they like? You're equally free to refuse - as you did.

re: How to lose customers without really trying...

LarryOsterman — Fri, 16 Nov 2007 08:37:44 GMT

James, I often purchase items from other online vendors that have a higher value than this purchase and I've never been challenged in this manner.

Just last year, Valorie placed an order of comparable magnitude (slightly higher) and the didn't raise an eyebrow.

re: How to lose customers without really trying...

JamesW — Fri, 16 Nov 2007 10:31:06 GMT

@Larry

I would imagine that the limit depends on the merchant and what they're selling. Perhaps your purchase is higher than 95% of all purchases (say), then it gets extra scrutiny. I agree it's annoying, but the vendor isn't doing this for fun. If they don't do what the card issuer demands, then they lose out. Sure, they still lose out because you're not going to trade with them. It comes down to a choice:

Accept everything and lose $X due to fraud

Obey their master(card)s and lose $Y due to irked customers

if($Y < $X) {

obey_masters();

} else {

please_customers();

}

Aside. I bought an additional Operating System to run on my Mac Book Pro. I want to boot it natively and run it in a virtual machine. The vendor make me jump through hoops - something called 'Activation'. It's quite annoying. Should I buy their stuff again? ;)

re: How to lose customers without really trying...

Mike Dimmick — Fri, 16 Nov 2007 12:48:15 GMT

Never ever happened to me in the UK. Normally when ordering with a new supplier the goods have to go to the registered card address - sometimes the supplier insists that all goods go to the registered card address. But I've never had to, nor heard of having to, provide extra information like this.

Having goods sent to the registered address can be annoying - the card obviously is registered at my home address and of course I'm not at home during work hours. On one infamous occasion I bought TV equipment and the retailer is required to pass the delivery address to TV Licensing for them to confirm that there's a TV licence for that address (the BBC is funded from the TV licence). Unfortunately my card address didn't exactly match the address on my existing TV licence - because I couldn't actually enter the right address on their website - and I started getting demands for payment as I documented on my blog at http://mikedimmick.blogspot.com/2006/08/tv-licensing-has-serious-issues.html.

re: How to lose customers without really trying...

Clinton Pierce — Fri, 16 Nov 2007 20:51:13 GMT

A lot of the commenters are missing the point entirely. The point isn't whether TG is trying to protect consumers against fraud (the best possible spin on this), protect themselves against fraud, or even the horrific identity theft potentials that e-mailing this data has. The point is, THEY'VE LOST A CUSTOMER.

Larry's expectations are spot on. Provide some basic information to the vendor, and the transaction should happen. Anything else represents a complete failure of TG and the Credit Card company.

The CC company and the vendors have to (pardon my language) get their shit together, and figure out how to make this easy and secure. It's THEIR problem to solve, not the consumers. We can shop elsewhere...

----

In this instance, perhaps, the Credit Card Company can be provided with alternate shipping addresses through other channels (phone, the Card's web site, snail mail). The vendor can then query the card company, "Is address Y valid for shipping?" and a simple yes/no can be returned. Solves this problem nicely, and since most people don't ship to many addresses (home, office, and drop-shipping grandma's Christmas present) it's not a major inconvenience to register the new address.

Under this scheme, TG could have sent a note to Valorie saying "You'll have to register that shipping address with the credit card company, and then we can ship your order." And the onus of proof-of-shipping-address (one time only!) is put on the Credit Card Company who already holds most of Valorie's sensitive information anyway. Larry's wife calls, registers the address, and replies "Done" to ThinkGeek and her item ships. End of story.

This would require vendors to lobby the Card Company for changes in THEIR system, and not require outrageous procedures from the consumer.

re: How to lose customers without really trying...

john ludwig — Fri, 16 Nov 2007 20:57:19 GMT

i've had vendors pull this on me. as you are doing, i've always walked away. one has to wonder -- if the leading ecommerce sites on the planet, sites like amazon and dell, don't ever have to resort to these measures, why does some minor site feel that they have to?

re: How to lose customers without really trying...

Pierre B. — Fri, 16 Nov 2007 21:12:10 GMT

I must be very unknownledgeable about this, but how does having a copy of your electricity bill enable identity theft?

All the information on it, except your electricity consumption, is public knowledge (name, address, etc) and can be gathered by other means.

Do banks request your electricity consumption to identify you now?

re: How to lose customers without really trying...

LarryOsterman — Fri, 16 Nov 2007 21:19:01 GMT

As I understand it, with your electric bill and the information on the bill, you can apply for a credit card.

You can also register to vote, open a bank account, etc.

re: How to lose customers without really trying...

Dominic Cronin — Sat, 17 Nov 2007 00:42:28 GMT

Your response was correct.

re: How to lose customers without really trying...

ericgu — Sat, 17 Nov 2007 01:41:32 GMT

My two favorite lines:

At ThinkGeek we take your security and privacy very seriously.

We hope you understand that when we have to take extra security measures such as this, we do it to protect you as well as ThinkGeek.

So, in the first case, does that mean that you will pay restitution if any information that you have about me is misused?

And in the second, exactly how is this protecting *me*? If this were a case of fraud, then it might be protecting the original holder of the card, but in that case, they wouldn't be getting the email, would they?

re: How to lose customers without really trying...

MS — Sat, 17 Nov 2007 03:57:32 GMT

I'm surprised -- you'd think that a company is all about geeks would "get it." I love the note about PGP keys, really convenient right?

re: How to lose customers without really trying...

Norman Diamond — Sat, 17 Nov 2007 09:36:26 GMT

Now you know why people turn off UAC. Now you know why the number of tourists to the US is dropping and the number of tourists to Japan is going to drop. Etc. I don't know a good solution to this, though I like some other commenters' suggestions (only a few, not all of them).

By the way, if credit card issuers require ThinkGeek to perform more rigorous security checking than they require of other retailers, then I wonder if ThinkGeek has been involved in more chargebacks, and I wonder why. Or maybe credit card hackers did a disproportionate amount of cheating ThinkGeek because the target was too well known and visible.

re: How to lose customers without really trying...

XL — Sun, 18 Nov 2007 13:58:35 GMT

>> identity thief would ask for

Well, here in many/most places you must allow a copy of your ID for credit card or other means of payment over a certain sum.

>>As I understand it, with your electric bill and the information on the bill, you can apply for a credit card. You can also register to vote, open a bank account, etc.

Your country has very sloppy security then. An electric bill should have the value of nil, being just a receipt released from a private company (not even a bank). Everyone can steal a bill from the post box..

re: How to lose customers without really trying...

Dean Harding — Mon, 19 Nov 2007 06:04:17 GMT

An electric bill, along with photo ID can be used to confirm your address (especially where the photo ID doesn't already have you address, like your passport). Generally, the electric bill by itself isn't enough.

re: How to lose customers without really trying...

Miral — Mon, 19 Nov 2007 08:52:51 GMT

I frequently get things shipped to a US address (which is definitely not my registered address -- I'm in NZ); usually when buying from somewhere that refuses to ship internationally. (I have a friend in the US who is happy to re-ship items.)

I've never yet had anyone question me on the address. Even when I fill in my NZ address in a form that doesn't offer country selection (or only offers US/Canada) :)

Think Geek Responds

Larry Osterman's WebLog — Mon, 19 Nov 2007 22:19:37 GMT

Valorie just received the following email from Think Geek ( in response to our previous issue with them

Think Geek Responds

Noticias externas — Mon, 19 Nov 2007 23:08:00 GMT

Valorie just received the following email from Think Geek ( in response to our previous issue with them