This week’s massive security breach of Target’s database caused me to pay extra attention to my credit card purchases. I found fraudulent charges, but I don’t know if the root cause is the Target breach or something else. If your company accepts credit card payments online, there is a lesson for you in how you should treat your customers. If you accept credit cards for automatic monthly payments, what happens when a card is denied? Do you help the customer or punish the customer?
I have been inconvenienced in two ways today. My time has been wasted. First, I had to spend time with American Express getting charges removed from my bill. Every Saturday I use Quicken to check all of my balances, which were $1,000 over my expectations. I had fraudulent charges of $499.95 from steampowered.com and $498.98 from steamgames.com, which appear to be the same company. I have no evidence good or bad about that company’s antifraud procedures and they are not the subject of this post. There were also three temporary authorizations of $1.06 each to McAfee in Plano, TX which I reported as fraud.
The real inconvenience began after reporting the fraudulent charges to American Express who has done a great job detecting fraud. I have seven preauthorized payments linked to my American Express card. That’s where your company comes in. Credit card fraud is a fact of life. So are preauthorized automatic monthly payments made by credit card. Sooner or later, your customers are going to have to change the credit card number because of fraud. Think through this carefully. Your company isn’t in any way responsible for the credit card fraud. The customer chose to use a particular card number to pay you. If the customer ends up having to change the payment method through absolutely no fault whatsoever of your company, is it your problem? It is because whenever your customer has a problem, so do you.
Let’s begin with my insurance company. I have three insurance policies with them, all billed to my credit card. I wasn’t able to change the payment method once. I had to change the payment method for each policy. Sure, it’s not their fault that my credit card was stolen, but they made me do extra work to fully change payment methods. My internet provider accepted my change of credit card, but informed me that it would apply to the next bill and that I needed to pay the current bill (due in about 2 weeks) if I wanted a different payment method. So, I had to enter the new credit card number twice. AT&T’s bill is due about the same time, but the change I made at AT&T’s website went into effect immediately. I didn’t have to do the extra work that the cable provider requires. But AT&T, although deserving of an honorable mention, isn’t the customer service winner. The clear winner is the Harris County Toll Road Authority. Although I did login to my account and change the method of payment, I didn’t actually have to. I could have done nothing and been fine, which is why they are the clear winner head and shoulders above the rest. If I am on vacation, I’d like to have the luxury of time to deal with the problem upon my return home.
The reason I could have done nothing is because the Harris County Toll Road Authority provides a means to enter a second payment method. If I had done nothing, the next month’s charge would have been denied on the AMEX card, which would then cause the system to try the second card on file for the payment. Why is this so important? Because we’re talking about charges levied by insurance companies, utilities, and government agencies. If your card is denied and you are on vacation, in the hospital, deployed in the military fighting terrorists, or your spam filter is a little too aggressive, you might miss the notice that your payment was denied. Credit card fraud can begin a cascade of steps resulting in you paying late fees or in a worst case scenario, having your utilities cut off, your insurance terminated, or your car impounded. When I shop for an electric service provider, my current provider goes to the bottom of the list because they don’t offer a backup payment method. They aren’t obligated to do so, they are meeting levels of service that are the norm today and they are within their rights not to provide a backup payment mechanism. But I want to minimize the risk of my electric service being terminated after my credit card is cancelled because of fraud. Depending on the nature of the fraud, the credit card company may terminate the card on their initiative and you might not know this immediately. That’s why backup payment plans matter.
If you manage databases for your company, good security practices can help minimize risks. If you are storing credit card data in SQL Server, you need to implement strong security procedures and policies. Use BitLocker for drive level encryption. Use Transparent Data Encryption for database level protection. Configure your SQL Server 2008 or SQL Server 2012 for FIPS 140-2 certification. Run the SQL Server Best Practice Analyzer for 2012 or 2008 R2.
If you are in the United States and use credit cards, you can get a free credit report once a year. Visit the Federal Trade Commission website for the facts http://www.consumer.ftc.gov/articles/0155-free-credit-reports. You can get one free credit report per vendor per year and there are three vendors. I recommend getting a free report from one vendor, wait 4 months and get a free report from another vendor, wait 4 months and get a free report from the remaining vendor. By staggering your requests in this manner, you can end up with a free credit report every 4 months. It seems like a better idea than requesting from all three vendors at the same time. Married couples can alternate between spouses if credit is being reported jointly. In that case, married couples can get a free credit report every 2 months.