Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

GameStop, Other Retailers Subpoenaed Over Credit Card Information Sharing

Soulskill posted more than 4 years ago | from the you-can-trust-us dept.

Businesses 117

New York State's Attorney General, Andrew Cuomo, has subpoenaed a number of online retailers, including GameStop, Barnes & Noble, Ticketmaster and Staples, over the way they pass information to marketing firms while processing transactions. MSNBC explains the scenario thus: "You're on the site of a well-known retailer and you make a purchase. As soon as you complete the transaction a pop-up window appears. It offers a discount on your next purchase. Click on the ad and you are automatically redirected to another company's site where you are signed up for a buying club, travel club or credit card protection service. The yearly cost is usually $100 to $145. Here's where things really get smarmy. Even though you did not give that second company any account information, they will bill the credit or debit card number you used to make the original purchase. You didn't have to provide your account number because the 'trusted' retailer gave it to them for a cut of the action." While there is no law preventing this sort of behavior, Cuomo hopes the investigation will pressure these companies to change their ways, or at least inform customers when their information might be shared.

Sorry! There are no comments related to the filter you selected.

PCI? (5, Interesting)

harlows_monkeys (106428) | more than 4 years ago | (#31033118)

There may be no law against it, but how does it comply with PCI security requirements? Shouldn't those companies be losing their permission to accept credit cards?

Re:PCI? (4, Informative)

ducomputergeek (595742) | more than 4 years ago | (#31033218)

Depends on who is actually running the charge. If it's B&N, for instance, who runs the transaction and then gives the $$$ to the 3rd party minus B&N's kickback, then there is really nothing there against PCI rules. If B&N is giving the 3rd party client all the card info, then there could be some problems. But even then, the big no-no is how the CVV code is handled. So long as it isn't stored anywhere outside of ram and that it is discarded once the transaction is made, the PCI folks don't give a damn as far as I can tell.

I'll give an example. We run a system where each one of our merchant has their own processing account. Usually we charge the merchant a flat annual hosting fee, but some of our clients wanted to move to a different model where we added in a $1.00 per order service fee to their customers instead of paying the annual rate. Our clients cited the economy, blah, blah, blah, and it's not something we wanted to do, but it was either that or loose the revenue from that client period. So we basically run card twice, once under our gateway for the $1.00 fee, then again under the merchant's gateway for the total bill.

Re:PCI? (3, Interesting)

Hognoxious (631665) | more than 4 years ago | (#31033330)

Is the customer informed of this charge before completing the sale? It seems to me that the honest and transparent thing to do would be to add the service fee to the price.

I like to know what I'm paying for, and how much I'm paying for it. I don't think that's unreasonable. Even airlines[1], who are notorious for adding x number of random surcharges to the advertised price give you an itemised breakdown before you commit.

[1] I mean reputable ones, not Sleazyjet or Tryonair.

Re:PCI? (1)

tlhIngan (30335) | more than 4 years ago | (#31035864)

Is the customer informed of this charge before completing the sale? It seems to me that the honest and transparent thing to do would be to add the service fee to the price.

I like to know what I'm paying for, and how much I'm paying for it. I don't think that's unreasonable. Even airlines[1], who are notorious for adding x number of random surcharges to the advertised price give you an itemised breakdown before you commit.

[1] I mean reputable ones, not Sleazyjet or Tryonair.

Problem is, you committed, and a new page comes up saying thanks for your order. With a button saying "Click here to save 10% off this order" (or your next order). The sleazy ones require you to click a tiny "No thanks" link, because closing the window automatically means you accept the offer. The sleazier ones include a discount on your order "Discount - 10%" as a line item. And hide the fact that discount really signs you up for a $20/month service.

It's a great scam because everyone loves discounts.

Re:PCI? (2, Interesting)

Ash-Fox (726320) | more than 4 years ago | (#31033346)

If B&N is giving the 3rd party client all the card info, then there could be some problems. But even then, the big no-no is how the CVV code is handled. So long as it isn't stored anywhere outside of ram and that it is discarded once the transaction is made, the PCI folks don't give a damn as far as I can tell.

It could be a hashed version of the entire card credentials to make a 'unique' identifier for the person to figure out what products to target to their customers and what they keep coming back for etc.

Re:PCI? (3, Informative)

Anonymous Coward | more than 4 years ago | (#31034820)

Depends on who is actually running the charge. If it's B&N, for instance, who runs the transaction and then gives the $$$ to the 3rd party minus B&N's kickback, then there is really nothing there against PCI rules. If B&N is giving the 3rd party client all the card info, then there could be some problems. But even then, the big no-no is how the CVV code is handled. So long as it isn't stored anywhere outside of ram and that it is discarded once the transaction is made, the PCI folks don't give a damn as far as I can tell.

Ahhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh!!!!

There, you just made a PCI auditor scream. Are you happy?

If you have full card numbers that is the problem. There are 3 levels of CC data and they get more valuable as their completeness increases. CC#, CC# + CCV, Full Stripe. Full stripe is the most valuable as then you can print new cards. Also if you have ever had the strip on your card not work and had the cashier just punch in the # by hand (ever seen them put in a CCV after they punch in the #?) you know that just a printed card with a "bad" stripe and fake CCV will work at some stores.

All 3 of these MUST BE ADEQUATELY PROTECTED! If your PCI folks only care about CCV... Punch them in the junk for me and for your upper mgmt.

Re:PCI? (5, Informative)

L4t3r4lu5 (1216702) | more than 4 years ago | (#31033228)

They've lost permission to accept my credit card. I'll shop elsewhere from now just for thinking that I'd allow this, regardless of restitution and new legal protections.

FALITFA ( http://www.ag.ny.gov/media_center/2010/jan/jan27a_10.html [ny.gov] ): Barnes & Noble, Orbitz.com, Buy.com, Ticketmaster.com, MovieTickets.com, FTD.com, Shutterfly.com, 1-800Flowers.com, Avon.com, Budget, Staples.com, Priceline.com, GMAC Mortgage, Classmates.com, Travelocity, Vistaprint, Intelius, Hotwire.com, Expedia/Hotels.com, Columbia House, Pizza Hut and Gamestop/EB Games were subpoenaed.

Re:PCI? (1)

Devout_IPUite (1284636) | more than 4 years ago | (#31033392)

Why would you shop at GameStop online when Amazon routinely kicks their ass on price and is just as 'not local'?

Re:PCI? (1)

Lumpy (12016) | more than 4 years ago | (#31033600)

Because Amazon did not give me free DLC on the release of the last game I bought prerelease. and Amazon had it for the EXACT SAME release price plus shipping.

Re:PCI? (0)

Anonymous Coward | more than 4 years ago | (#31033614)

Really? I haven't paid for shipping at Amazon in years, even when I buy things like TVs that have to be shipped freight.

Re:PCI? (2, Funny)

riegel (980896) | more than 4 years ago | (#31034416)

-- Home theater gear from Best Buy is low grade dog food.

Offtopic but I am wondering...

Not being a dog myself, how does one grade dogfood.

Re:PCI? (3, Informative)

Lumpy (12016) | more than 4 years ago | (#31035018)

by taste.

Re:PCI? (1, Funny)

Anonymous Coward | more than 4 years ago | (#31034056)

Why would you shop at Amazon when bittorrent routinely kicks their asson price and is just as 'not local'?

Re:PCI? (1)

Firehed (942385) | more than 4 years ago | (#31035578)

If you have Amazon prime, the shipping is often faster.

Seriously. Depends on the torrent, but I've had large files over bit-torrent take longer to download than it would have taken to get it shipped two-day with Amazon Prime.

Re:PCI? (2, Informative)

odin84gk (1162545) | more than 4 years ago | (#31034572)

Amazon has frequently shipped games more than 1 week after the release. (My friend just got ME2, That long of a wait will steer any gamer away from Amazon for game purchases).

Re:PCI? (1)

radish (98371) | more than 4 years ago | (#31037512)

Only if you choose free shipping. I use prime and if I preorder a game it arrives on release day (if they offer that service for that title) or at worst the day after.

Re:PCI? (2, Interesting)

AHuxley (892839) | more than 4 years ago | (#31033606)

Now goto the http://consumerist.com/ [consumerist.com] and request/search for the respective top emails and tell them your thoughts too.
Get a name to go with the brand.
Then spread the word.
The joy of reading about about your day job :)

Re:PCI? (0)

19thNervousBreakdown (768619) | more than 4 years ago | (#31033900)

What a wonderful way around the law. Not only do they not have to be guilty, it doesn't even have to be against the law, and since it's not against the law and there's no real lawsuit to win, who needs evidence or even suspicion? Subpoena them anyway! The bad press will ruin them!

It helps to be attorney general when starting a lawsuit for the express purpose of smearing people or companies (what's the difference again? Thanks SCOTUS!) and costing them or you might find yourself on the wrong end of charges from an angry judge.

Can you sue for attorney costs that you spent to defend yourself against something that isn't a crime? I guess you can sue for anything ... just gotta spend more on attorneys.

Honestly, I have no doubt that these companies are doing this, but it seems like one hell of a loophole for any lawyer-politician making a run for higher office or re-election at the expense of the reputations of whoever happens to be convenient at the time, and if they ever turned out to be wrong I doubt we'd see a similar announcement saying, "No, hey, these are good guys! My bad!".

Re:PCI? (2)

visualight (468005) | more than 4 years ago | (#31034046)

Get off your high horse, your rant is not suited to this particular situation. This AG is well within the job description, not using a loophole, and you have _zero_ evidence that anyone has 'the express purpose smearing' anyone. If anything it's a loophole that is allowing companies to do this.

Re:PCI? (1)

T Murphy (1054674) | more than 4 years ago | (#31036804)

Whenever a big company does something that looks good on paper, most people here stop and look for the catch. We have seen Cuomo repeatedly putting his name into national news, so these stories are starting to trigger the same reflex. I agree being 100% biased against him is overdoing it, but it is still relevant to include his political motivation in addition to the purely legal issues here.

Re:PCI? (3, Informative)

fatalwall (873645) | more than 4 years ago | (#31035190)

Actually he is asking for them to provide information on the method that perform this action. Because it might be implemented in a way that IS illegal.

Part of his job is to sniff out organizations or businesses that appear fishy. Then to request information in regards to it or subpoena it if they refuse and its fishy enough.

They do the same thing all the time to the phone companies when they hear of a practice that does not seem on the level.

Re:PCI? (1)

suomynonAyletamitlU (1618513) | more than 4 years ago | (#31035830)

I agree with you. GP has a point that this comes rather close to attacking someone for something that isn't illegal--which sets a terrible precedent--but at the same time, stopping people and corporations from doing bad things IS his job.

In the end, you or I or any other IANAL-er is not qualified to say that these companies AREN'T doing something illegal. It's possible that there is some corruption or deceit somewhere in the chain of things that is normally hidden, which is itself not only illegal but majorly illegal, and once the AG figures that out, people will never be able to get away with this again. I doubt that, but law is a huge field, and there's probably room for something like that to be discovered.

Social Games and the Federal Probe (5, Informative)

eldavojohn (898314) | more than 4 years ago | (#31033338)

with out authorization it is credit card fraud among other things that a DA will throw at me. If a business gives my information to a third party and the third party charges my credit card then that's just sharing? I need to start up a couple of businesses.

Apparently social gaming [slashdot.org] is a great business model for this kind of crap. The mentioned retailers get you after you make your purchase but when you need more resources in Farmville or Mafia Wars on Facebook [slashdot.org] :

In games like Mafia Wars, Farmville, YoVille and Vampires Live, you know, some of the major sources of all those garbage announcements cluttering up your Facebook, players compete to complete missions and level up. By leveling up, you can complete more difficult missions and fight off weaker opponents. You can wait for your various energies to regenerate naturally over time, or you can purchase with real money in-game boosts. Or, you can complete various lead generation offers, many of which are of the "answer page after page of questions and opt in and out of receiving various kinds of spam" variety. Some of them install malware and adware that is impossible to remove. And some of them secretly subscribe you to monthly recurring $9.99 credit card charges.

Don't ever put your credit card information into Facebook or a Facebook app. Social Media is rife with crap like this [washingtonpost.com] . Right about now we should be asking when we'll get to see the findings in the the federal probe that set out to address shoddy "business practices" like this [slashdot.org] and what is being done about it now that we know about it [senate.gov] ?!

Re:Social Games and the Federal Probe (3, Insightful)

jimthehorsegod (1210220) | more than 4 years ago | (#31033754)

Don't ever put your credit card information into Facebook or a Facebook app.

Well, no - but I'm no more likely to do that than I am to put my genitals in a meat grinder... I'm amazed that anyone would

Re:Social Games and the Federal Probe (0)

Anonymous Coward | more than 4 years ago | (#31033914)

I'd feed my genitals in a meat grinder before I give any info to a Faceplant app...security risk doesn't even begin to describe the bulk of those things- and they're actually stupid... (Bread and circuses?)

Re:Social Games and the Federal Probe (2, Insightful)

Anonymous Coward | more than 4 years ago | (#31034360)

The risk to your information on facebook is quite high but not quite as high as the risk to your genitals via a meat grinder.

Re:Social Games and the Federal Probe (0)

Anonymous Coward | more than 4 years ago | (#31034146)

my name is.... and i play farmville... *lowers head* i know its dumb. anyway i would never EVER put a red cent into that game and i dont know why anybody would. security reasons aside... if you wanted a pay to play game with social networks you should probably play something good like WoW.

Re:PCI? (2, Informative)

Shadow of Eternity (795165) | more than 4 years ago | (#31033582)

I'm pretty sure there's a generally-worded fraud law or something somewhere on the books that would catch this since these guys are basically waiting until you buy one thing and then without knowledge or consent billing you for a second thing.

It's like going to a restaurant, ordering your meal, paying, and then finding out that on the back of one of the fold out flaps in the menu it says you'll also be charged a $150 service charge. You looked at one price, you agreed to one price, and while technically you were "informed" of the second charge in the "fine print" by all reasonable measures you were outright scammed.

Re:PCI? (1)

Svartalf (2997) | more than 4 years ago | (#31033922)

Perhaps one of the "Bait and Switch" laws on the books would cover this practice...

Re:PCI? (1)

riegel (980896) | more than 4 years ago | (#31034494)

I'm pretty sure there's a generally-worded fraud law or something somewhere on the books that would catch this since these guys are basically waiting until you buy one thing and then without knowledge or consent billing you for a second thing.

The problem is the pop-up or whatever says something like "Would you also like salsa with your chips? (we'll ship a new jar every month)" and when you click "yes" you are aware of it and are also consenting to it.

Re:PCI? (1)

Shadow of Eternity (795165) | more than 4 years ago | (#31034752)

You mean the popup that I didn't know would instantly appear right where I was going to click anyway and possibly can't get rid of without clicking?

Re:PCI? (2, Informative)

Firehed (942385) | more than 4 years ago | (#31035636)

You haven't seen these things in action.

They're (often) ads designed to look like coupons that are inserted into the middle of or immediately after the checkout process. I've even seen them placed in order confirmation emails. "Click here to save $10 on that order you just completed." kind of things, with no fine print whatsoever. Some of them will immediately sign you up; others will make you hit at least one additional page before you get screwed over - it depends on how much or little fine print, usually.

At best, it's false advertising. At worst... use your imagination.

Re:PCI? (1)

uglyduckling (103926) | more than 4 years ago | (#31035756)

I've found that you can get a long way by complaining. I signed up for a credit card offered by Amazon (I'm in the UK) with 10 months' interest-free credit. I have the money, but why not get the interest and/or invest in other things on their credit, right? On my second statement I had a huge amount added on for interest etc. as I had supposedly missed a 'minimum payment'. I phoned them up and said that I had never seen any warning that the 'interest free' period required a minimum payment, and they took the payments and the interest charges straight off. Consumer protection law is really strong in the UK.

The American roots of the Holocaust (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#31033684)

Funny how the cries of "Fascism!" from the left died down after The Messiah was elected, even though he's actually accelerated the rate at which government and big business are getting in bed together. Makes me wonder if any Democrat even understands what Fascism is. Well here's a hint: it's not just a ruler who imposes his will on you. It's an entire system of government where the private sector retains ownership of it's property, but it is entirely directed by the state. Sound familiar, America? Hell, Hitler DID credit American Progressive "scientists" and politicians as the basis for his ghastly genetic superiority philosophy. And American Progressives are on record for admiring Hitler for having the balls to push his vision forward. Fascists and Progressives: more alike than they want you to know.

http://hnn.us/articles/1796.html [hnn.us]

Re:The American roots of the Holocaust (-1, Troll)

Anonymous Coward | more than 4 years ago | (#31034142)

Wake up America! Loose Change, etc.

So if I use some one else's credit card (5, Interesting)

ImNotAtWork (1375933) | more than 4 years ago | (#31033132)

with out authorization it is credit card fraud among other things that a DA will throw at me. If a business gives my information to a third party and the third party charges my credit card then that's just sharing? I need to start up a couple of businesses.

Re:So if I use some one else's credit card (2, Interesting)

Hognoxious (631665) | more than 4 years ago | (#31033184)

I can't remember the exact phrase, but to me it's an unsolicited sale - like when they send you shit in the post that you didn't order.

There should be a clear go/no-go point in any transaction, just like there is in a physical shop.

Re:So if I use some one else's credit card (1)

rhsanborn (773855) | more than 4 years ago | (#31033510)

Except, if I remember it correctly, you did autorize it, it is just in very tiny print somewhere on the form you clicked. Smarmy yes, illegal, maybe not.

Re:So if I use some one else's credit card (3, Insightful)

Hognoxious (631665) | more than 4 years ago | (#31033634)

I disagree. If I authorize a 20 buck one-off charge on whatever.com, I'm not authorizing a 30 buck per month charge from somethingelse.com, whatever the small print says. Just because it's there doesn't make it enforceable.

Re:So if I use some one else's credit card (3, Insightful)

Svartalf (2997) | more than 4 years ago | (#31033956)

Yes. I strongly suspect that these things fall under "bait-and-switch" laws on the books.

Just because you agreed to it doesn't make the "it" any less fraudulent.

The main problem is...for many, "illegal" really means it's against the law if you're caught out doing it and someone calls you on it.

Re:So if I use some one else's credit card (2, Informative)

tomtomtom (580791) | more than 4 years ago | (#31033696)

At least in the UK, this type of activity would probably fall foul of the Unfair Contract Terms Act 1977 and the Unfair Terms in Consumer Contracts Regulations 1999, especially if well buried in the small print. There is a decent amount of case law prior to this legislation supporting this as well.

Not that that particularly helps you as an individual, since you'd then need to reverse the card transaction, then risk being sued for it and, finally, asserting that the term was unfair and therefore void in your defence case.

There are powers for certain government bodies like the OFT to take more useful action (such as seeking an injunction against the company in question enforcing those terms) though, which may explain why these scams don't seem to have appeared on reputable UK-centric sites yet.

Re:So if I use some one else's credit card (2, Insightful)

rhsanborn (773855) | more than 4 years ago | (#31033712)

I'm hoping courts will agree with you. Sneaking terms into small print while implying something else in regular print should be illegal. Whether courts see it that way, however, is very much in question.

Re:So if I use some one else's credit card (1)

uglyduckling (103926) | more than 4 years ago | (#31035800)

In the UK I'm pretty sure this practice wouldn't be allowed, and wouldn't even need to go to court, the FSA would deal with it. I've not come across it on any UK-based sites so far.

Re:So if I use some one else's credit card (2, Funny)

cdrudge (68377) | more than 4 years ago | (#31034124)

Except, if I remember it correctly, you did autorize it, it is just in very tiny print somewhere on the form you clicked

Yeah, it was <small> print inside of a <!-- comment --> inside of a <div> that has a style of "display:none; position:absolute;left:-10000px;". I don't know why couldn't see it.

Re:So if I use some one else's credit card (1, Funny)

Anonymous Coward | more than 4 years ago | (#31034706)

Insert "Beware of the Leopard" comment here.

Re:So if I use some one else's credit card (1)

GasparGMSwordsman (753396) | more than 4 years ago | (#31036572)

Best Buy lost a class action lawsuit in California around 2000 for doing this in person.

A customer would make a live purchase with a credit card and the cashier would as them if they wanted a magazine for free. If the customer said yes, they were given a three month trial that would then auto bill the customers credit card until the customer canceled the account. (Some times the customer said no or was not asked and they were still signed up.)

Re:So if I use some one else's credit card (1)

Monkeedude1212 (1560403) | more than 4 years ago | (#31034918)

Making a clear cut law won't stop it either, they'll work around a loophole, probably something similar to; Buy something through Ticketmaster, TM site has a pop up to Acme Company Inc, and when you click the pop up, Ticketmaster charges you an extra $100 for that, they send $70 to Acme. Nothing they did was considered illegal, as the information you entered was with Ticketmaster, and processed through them. I've come across these (I was on Ticketmaster the other day) and its a good thing popup blockers are standard now, otherwise I might have accidentally clicked on this ploy.

Legal but dishonest (3, Interesting)

Shrike82 (1471633) | more than 4 years ago | (#31033160)

From TFS:

While there is no law preventing this sort of behavior

Well that, right there, would appear to be a fairly large gap in the legal system. Common sense, decency and good old fashioned right and wrong clearly indicate that there should be a law against this.It reminds me of a scam that a site called RedSave.com ran in the UK. Hidden way, way down in the tiny small print of their Terms and Conditions when you made a purchase was a line that stated "We will charge you £20 every month unless you contact us to opt out". Apparently this isn't against the letter of the law, but it sure as hell isn't a good business practice and isn't in the interests of the consumer. It, and the situation from TFA, are examples of cynical, money-grabbing exploitation of customers. One can only hope that a sensible judge has the balls to come down really hard on them, discouraging others from trying these sorts of practices in the future.

Re:Legal but dishonest (2, Interesting)

91degrees (207121) | more than 4 years ago | (#31033252)

Well, it's certainly misleading, deliberately so, and is intended for financial gain. I wonder if there is a possibility of fraud. Putting terms in with the full knowledge that people aren't going to read them is surely deception. Surely gullibility of the victim isn't a defence.

Re:Legal but dishonest (1)

Entropy98 (1340659) | more than 4 years ago | (#31033376)

Gullible/Lazy/Stupid people have been getting screwed by not reading the fine print since long before credit cards existed.

Fine print exists because its the only way to spell out all the required terms and conditions in this litigious day and age. You just cant put all the terms of all transactions in two sentences.

Usually its pretty easy to tell if you might get screwed by the fine print without even reading it.

However in this case, although it appears you were told you were signing up for something, having not realized the company you were signing up with had your credit card number most people would'nt think it was possible for them to be charged anything, and wouldnt have a reason to even read the terms.

Of course without screenshots its rd to tell exactly what happened.

Re:Legal but dishonest (0)

Anonymous Coward | more than 4 years ago | (#31035644)

"Gullible/Lazy/Stupid people have been getting screwed by not reading the fine print since long before credit cards existed."

This might be true but the "fine print" of many contracts is so intentionally obfuscated that normal people have difficulty understanding it. I know of at least one law professor that says he has problems reading some credit card terms. (I believe he was at Harvard.) That and the fact that many times it is so long that it is very time consuming to read it entirely (even if you can understand it). What is needed are contract regulations that require a brief synopsis in every day language of what is in the lengthy legal boilerplate. If the synopsis and the lengthy legal boilerplate do not agree, the contract should be null and void.

Re:Legal but dishonest (2, Insightful)

Shrike82 (1471633) | more than 4 years ago | (#31037290)

There's a massive difference between stating legal obligations in the Terms and Conditions, and hiding the fact that the customer will be charged £20 every month with no benefit in there. Recurring monthly charges should be clearly stated, especially when a customer is expecting a one off payment for a product. Would you be happy is Amazon suddenly started taking money from you each month after you bought a CD from them?

Re:Legal but dishonest (5, Informative)

Archon-X (264195) | more than 4 years ago | (#31033354)

Both VISA and Mastercard have very explicit regulations on data sharing, and how 'Cross Sales' are conducted: they both prohibit it in their merchant agreements.
VISA is somewhat lax on its enforcement, preferring to take a case-by-case approach if there is abuse, however has been cracking down significantly on this type of behavior of late: http://corporate.visa.com/media-center/press-releases/press969.jsp [visa.com]

Mastercard will fine and terminate merchants it finds passing CC information between third parties. Fines normally start at 25k per offense.

The storage of CC data is another highly regulated procedure. 'Normal' merchants are prevented from storing CC data, and to even handle it, normally have to become PCI-compliant.
The storage of CVV data is very, very regulated - You have to have PCI-level 3 compliance - something typically reserved for merchant processors themselves.

To say that no regulation exists is somewhat uninformed.

However, even with the above all in place, as these guys are all using merchant accounts, they're going to see all the CC/CVV information in the flux; as presented by the article, it's very common to use this data, if the merchants can 'stay under the radar'.

Re:Legal but dishonest (2, Insightful)

Firehed (942385) | more than 4 years ago | (#31035818)

That's all true, but PCI compliance has nothing to do with legality. Violating the standard will get you shut down by your merchant processor (or someone else in the chain of your ability to accept credit cards), but it's not illegal.

Ultimately though, it comes down to a risk vs reward thing for those enforcing the standards. After all, Visa and Mastercard are getting a piece of every single transaction. Until people start calling up their issuing bank and charging back these fraudulent cross-sells (and do so in enough volume to raise some eyebrows or cause them to lose money, which admittedly is a very low number), it's in their financial best interest to allow it. Some of these companies are getting $10M+ in revenue from these cross-sale ads alone, so imagine what levels of volume they're doing through their legitimate business channels. Visa and MC aren't about to give that up anytime soon.

Re:Legal but dishonest (0)

Anonymous Coward | more than 4 years ago | (#31037128)

The first problem is that Visa and Mastercard don't bother to enforce their own rules until after something makes the news. If you have a big theft, and the theft makes newspaper headlines, then suddenly there are rules and fines. Otherwise, anything goes. The second problem is that once a fine is levied, the shady business just closes up shop and reopens as a different shady business. Corporations are too protected.

Re:Legal but dishonest (2, Informative)

julesh (229690) | more than 4 years ago | (#31033410)

It reminds me of a scam that a site called RedSave.com ran in the UK. Hidden way, way down in the tiny small print of their Terms and Conditions when you made a purchase was a line that stated "We will charge you £20 every month unless you contact us to opt out". Apparently this isn't against the letter of the law, but it sure as hell isn't a good business practice and isn't in the interests of the consumer.

While I don't suspect it's illegal (i.e. the owners of the business aren't going to end up in jail over it), I also don't suspect it's legally enforceable -- i.e. if you take them to court and demand your money back, they'll probably end up having to give it to you. There's a principle of English contract law that when dealing with consumers, the business must call the consumer's attention to anything which is unusual and detrimental to the consumer, otherwise it may not be an eforceable term of the contract. As Lord Justice Denning said:

"The more unreasonable a clause is, the greater the notice which must be given of it. Some clauses which I have seen would need to be printed in red ink on the face of the document with a red hand pointing to it before the notice could be held to be sufficient." (J Spurling Ltd v Bradshaw [1956] 1 WLR 461)

(IANAL, this is not legal advice, but I'd certainly suggest if you paid any money to this company within the last 7 years that you get some...)

Re:Legal but dishonest (1)

Svartalf (2997) | more than 4 years ago | (#31033976)

"illegal" is against the law- it doesn't relate to whether you go to jail or not.

Making unauthorized copies of media content is illegal- but depending on the nature, you could just be sued OR go to jail for it. There's tons more things like that on the books.

Re:Legal but dishonest (2, Insightful)

mcgrew (92797) | more than 4 years ago | (#31034902)

Common sense, decency and good old fashioned right and wrong clearly indicate that there should be a law against this

What do common sense, decency and good old fashioned right and wrong have to do with the law?

Re:Legal but dishonest (1)

Shrike82 (1471633) | more than 4 years ago | (#31037314)

What do common sense, decency and good old fashioned right and wrong have to do with the law?

Sadly, very little. At some point legality and morality diverged. Or perhaps they were never related at all.

Re:Legal but dishonest (0)

Anonymous Coward | more than 4 years ago | (#31036982)

Common sense, decency and good old fashioned right and wrong clearly indicate that there should be a law against this.

There already is... it's called fraud.

We don't need any more laws we just got 40,000 news ones last year [cnn.com] .

It's scary when you can't even drive to work without likely violating dozens of laws you don't even know about.

Pretty sure that's illegal (1)

VShael (62735) | more than 4 years ago | (#31033182)

in most countries outside of the U.S.

Re:Pretty sure that's illegal (-1, Flamebait)

Anonymous Coward | more than 4 years ago | (#31033496)

Yes. The socialized medical systems in Canada and Norway prevent most types of credit card fraud.

Re:Pretty sure that's illegal (0)

Anonymous Coward | more than 4 years ago | (#31033960)

Well I know the ACCC [accc.gov.au] would be all over this. Does the US have a similar consumer watchdog?

WHAT? (2, Interesting)

Asadullah Ahmad (1608869) | more than 4 years ago | (#31033188)

This is absolutely frightening. Now I'll have to read the privacy statements to see if they share credit card information with other companies also? What exactly do the claims of "You are secure" and sort mean?

Fortunately my bank has disabled on-line transactions by default, and neither do I ever intend to click any ad while using my card. But I think that a lot of credit cards are activated for internet use, and

Information about joining the membership program and its ramifications, including the fact that the consumer is agreeing to transfer his or her credit or debit card account information, is buried in fine print and cluttered text.

is a terrible prospect as just seeing an ad doesn't usually mean agreeing to the purchase UNTIL we click on billing and shipping information.

Accidental Purchases (3, Funny)

B33R N1NJ4 (711855) | more than 4 years ago | (#31033208)

Really! I didn't -mean- to buy Blow-Up Betty and a years subscription to Back-Door Babes. They tricked me into it!

IT'S A SCAM JOE (0)

Anonymous Coward | more than 4 years ago | (#31033234)

Run away run away! The evil internet empire is upon us. Again!

For once ... (3, Insightful)

nospam007 (722110) | more than 4 years ago | (#31033268)

... it seems like PayPal looks good in comparison.

and why I never left Amazon for books (1)

Shivetya (243324) | more than 4 years ago | (#31033368)

B&N just annoys me, even some great tech sources tried it, make the purchase and up pops a "survey window" or save X on next purchase window.

It is very much like ad laden sites, I shop or read sites when my ad blocker/pop up blocker go nuts. If I get a single inquiry to pop a window, install x, or whatnot, I usually don't come back.

Keep it simple, keep it safe.

Re:For once ... (1)

djdevon3 (947872) | more than 4 years ago | (#31033422)

Until you try to use Sandbox or take in a donation without a fee. If Paypal wasn't so big it would be a joke... wait no... it still is.

Re:For once ... (3, Informative)

Lumpy (12016) | more than 4 years ago | (#31033624)

Actually they do offer one great function. One time use credit card numbers. these completely bypass any scumbag tricks like this. The credit card number I give a site is good for only the amount I set the number for. Paypad had this feature 3 years ago and I used it on a lot of "iffy" sites. http://www.paypal.com/cgi-bin/webscr?cmd=xpt/cps/account/VDCFrequentlyAskedQuestions-outside [paypal.com]

They call it the virtual debit card.

What we've known for years.. (3, Insightful)

goldaryn (834427) | more than 4 years ago | (#31033386)

Wow, that's incredible. I find popups and popunders very invasive, so for years I haven't clicked them on principle. I had no idea that it had gotten this far.

I'm going to print off this article (I suggest you do the same) and find the dopey people that I know (the ones who use IE and think sending chain emails is a good idea), thrust it to them and say: "Don't... click... popups!". If that doesn't wake them up, nothing will..

If anyone is interested, I posted the other day [slashdot.org] about the marvels of Privoxy, which stops a lot of ads, irrespective of browser.

Re:What we've known for years.. (0)

Anonymous Coward | more than 4 years ago | (#31034736)

The problem being that some of these sites don't present the offers as pop-ups; they present them as reputable business offers sponsored by the company after or while you're completing your purchase.

Smarmy? (4, Informative)

YourExperiment (1081089) | more than 4 years ago | (#31033388)

Here's where things really get smarmy.

Excuse me?

Smarmy: unpleasantly and excessively suave or ingratiating in manner or speech

Perhaps the word you were looking for is one of: deceptive, devious, underhand, sneaky, execrable, abhorrent, hateful, annoying, irritating, enraging, infuriating or inexcusable?

It's hard to believe that this practice is legal. I give my credit card details to one company, and it becomes perfectly legal for them to sell these details to a completely unrelated third party, simply because I clicked on an advert on a web site?

Re:Smarmy? (0, Funny)

Anonymous Coward | more than 4 years ago | (#31033704)

Oh God, here come the pendants. If only you were as smart as you think you are.

JC Whitney is one of these. (2, Informative)

Anonymous Coward | more than 4 years ago | (#31033472)

If you need car parts. DO NOT go to JC Whitney. They did this. The company they sold my credit card information to had gone under a dozen different names and phone numbers in the last 6 years. They were investigated by the Better Business Bureau. Everything time the BBB got close they shut their doors changed their name and they were starting right up again. The other company got $9 a month for 6 months before we realized it. I found out through bragging on the other website that they had gotten over 12 million people this way.

Re:JC Whitney is one of these. (1)

Svartalf (2997) | more than 4 years ago | (#31033986)

Which is something of a shame... In years long past, they were the go-to guys for hard to find auto parts and tools via mail.

Pizza Hut? (2, Informative)

EzInKy (115248) | more than 4 years ago | (#31033642)

You know, you almost come to expect this kind of behavior from scummy web based companies, but really, Pizza Hut? I had to check out their Privacy Policy [pizzahut.com] once I found out they were involved in this action and sure enough it says:


Should you choose to accept an offer from a third party, We will pass your relevant Personal Information, which may include your name, address, and credit/debit card number, to that third party.

Okay Pizza Hut, like, WTF?

Re:Pizza Hut? (2, Insightful)

MBC1977 (978793) | more than 4 years ago | (#31034072)

I'm not seeing the problem here. Its clearly spelled out "Should you choose to accept an offer from a third party, We will pass your relevant Personal Information, which may include your name, address, and credit/debit card number, to that third party."

Lets be real here, business are not out to be your friend. They are created to generate income for some individual / group. Ask for and READ the contract before conducting any transaction. If the deal seems too good to be true, it probably is.

Re:Pizza Hut? (0)

Anonymous Coward | more than 4 years ago | (#31034592)

You know, you almost come to expect this kind of behavior from scummy web based companies, but really, Pizza Hut?

Ask for and READ the contract before conducting any transaction.

If you need a contract to buy a pizza, something has gone horribly wrong.

Re:Pizza Hut? (2, Insightful)

Blue Stone (582566) | more than 4 years ago | (#31034890)

>Lets be real here, business are not out to be your friend

Yeah, but it's not good business to become your customer's enemy.

Re:Pizza Hut? (1)

phorm (591458) | more than 4 years ago | (#31035068)

Contract? Seriously, other than the usual I-give-you-money-and-you-give-me-functional-product contact inherent in a sale, there should NOT be a contract.
This goes a bit further into the area of affiliate "loyalty" programs, but they're still dealing with what are essentially hidden contracts.

So unless you want it to be permissible for the local supermarket to sell your CC# to "Loyalty Agency X" the next time you use a discount coupon to save $0.25 on your next roll of ass-wipe paper, then perhaps you SHOULD be concern.

There aren't too-good-to-be-true deals, they purport to be much the same as loyalty card (you know, the ones you probably already have from your local grocery store, gas bar, movie theatre, etc). The concept of "shop with us a lot and get discounts" or even "shop with our affiliates a lot and get discounts" (while the loyalty provided gets a small cut and you may still save a bit) are NOT new, and not in the line of too-good-to-be-true. Those were often honest everyone-benefits type deals where the companies got a bit more business, the advertiser got a small cut, and the customer got a small discount. The problem is that online it becomes extremely easy to hide extra details such as hidden charges, or hidden recurring charges, amongst a polluted page of "details" or several pages of such.

This is especially an issue if you look at the retailers involved. Video games, office supplies, flowers, movies, and even fricking pizza. Do you really want to have to check 10 pages of fine print for the scam every time you save $5 on a extra-large supreme? Give me a break.

Re:Pizza Hut? (0)

Anonymous Coward | more than 4 years ago | (#31036976)

Should you choose to accept an offer from a third party, We will pass your relevant Personal Information, which may include your name, address, and credit/debit card number, to that third party.

May. And it says nothing about that information being used for a transaction. The fact that you will be charged is not clearly spelled out in that statement at all.

Best buy used to do this and they got in big troub (2, Informative)

Joe The Dragon (967727) | more than 4 years ago | (#31033918)

Best buy used to do this and they got in big trouble In more then one way one was the MSN thing where they scan the free disk but don't tell you that you when singed up for a 2 year deal after the free trial ended and some people did not even use the disk and did not know that they when singed up for msn and then was the free magazine when you got singed up for if you did not call up and have it stopped.

Re:Best buy used to do this and they got in big tr (0)

Anonymous Coward | more than 4 years ago | (#31037054)

....can I have some of what you're smoking?

Re:Best buy used to do this and they got in big tr (0)

Anonymous Coward | more than 4 years ago | (#31037898)

Best buy used to do this and they got in big trouble In more then one way one was the MSN thing where they scan the free disk but don't tell you that you when singed up for a 2 year deal after the free trial ended and some people did not even use the disk and did not know that they when singed up for msn and then was the free magazine when you got singed up for if you did not call up and have it stopped.

Punctuation, motherfucker, do you know it?

So let me see if I have this right.... (2, Interesting)

Jed_8 (1611735) | more than 4 years ago | (#31034092)

"As soon as you complete the transaction a pop-up window appears. It offers a discount on your next purchase. Click on the ad...." So this is something that affects only people dumb enough to click on pop-ups, while those of us with either blockers or the brains to close pop-ups like this when they open are not affected? Internet darwinism at work and working as intended imo.

Re:So let me see if I have this right.... (1)

spymagician (1303515) | more than 4 years ago | (#31034910)

"As soon as you complete the transaction a pop-up window appears. It offers a discount on your next purchase. Click on the ad...." So this is something that affects only people dumb enough to click on pop-ups, while those of us with either blockers or the brains to close pop-ups like this when they open are not affected? Internet darwinism at work and working as intended imo.

Thanks- I was hoping someone would point this out, and I agree with you. It's sad commentary that today's consumers still don't approach every purchase expecting to get burned. Now, before anyone gets up in arms over that statement, let me explain: I don't agree it *should* be this way, but I know that it *is* this way and protect myself accordingly.

Re:So let me see if I have this right.... (1)

Jed_8 (1611735) | more than 4 years ago | (#31035384)

Agreed, I wish I could go out there and trust vendors (both online and offline), but that's not the world we live in. Unless you have reason to believe otherwise, if anything sounds a little bit too good to be true, assume it is a scam. -Learn what different types of URLs do. -Run Firefox, disable pop-ups, run NoScript and ONLY run things you know you can trust. -Don't ever save personal or CC info anywhere you don't absolutely have to. -If you can use any kind of service which allows at least some other level of protection (like Paypal), do so. They won't offer much, but at least there's another entity between your money and a potential thief. And just because you're online or offline, don't assume you're safe. You're NEVER safe.

Re:So let me see if I have this right.... (5, Informative)

tlhIngan (30335) | more than 4 years ago | (#31035614)

"As soon as you complete the transaction a pop-up window appears. It offers a discount on your next purchase. Click on the ad...." So this is something that affects only people dumb enough to click on pop-ups, while those of us with either blockers or the brains to close pop-ups like this when they open are not affected? Internet darwinism at work and working as intended imo.

Thanks- I was hoping someone would point this out, and I agree with you. It's sad commentary that today's consumers still don't approach every purchase expecting to get burned. Now, before anyone gets up in arms over that statement, let me explain: I don't agree it *should* be this way, but I know that it *is* this way and protect myself accordingly.

Actually, it can affect you if you don't click the popup too.

It's a major scam, and it's not necessarily a popup.

You click "Continue" on your transaction, and the site summarizes your order. Then instead of a continue button, you have a big button that says "Place order - and get 10% off your next!". What you don't see is hidden in the fine print is a link that says "No thanks - just place my order".

Or, after you place your order, on the thank you page, it'll have a blurb saying "Special offers for your next order" with "Save 10% off your next order!". Hell, the craftier ones put a 10% off discount on your order automatically, and a link hidden at the bottom saying "No, I don't want the discount".

The nastiest ones though are the ones that require no clicking at all - you done your order, you close the browser while inadvertently NOT clicking the "No" link. By closing the window and not declining, you're signed up anyway. Hell, I bet half of them exist in the terms and conditions of sale, and people blindly check the box saying they agree.

Basically, unless you read every word of every screen, it's impossible to not inadvertently do it. It's a huge scam and everyone's hiding behind the fine print. And the fact that people love getting discounts, so a 10% off the next order would be valuable.

Re:So let me see if I have this right.... (0)

Anonymous Coward | more than 4 years ago | (#31036956)

I would agree with you on the "internet darwinism", but when you work for one of these companies and your mother get hit with these charges after using an employee friends & family discount you sent here, it is not "as intended".
I don't even work in the .com department and had no idea about this thing, so there was nothing I could tell her. Really makes you want to find another job, but that is a little difficult at the moment.

Yay! (3, Interesting)

sesshomaru (173381) | more than 4 years ago | (#31034140)

This is the best news I've heard in a while. I do tech support for a local Buddhist temple, which has some staff authorized to use corporate credit cards to buy supplies for the temple.

Well, more then once I've been called in to help out with the mysterious charges on their credit cards, and it's always because of this scam. These people are both good-hearted and completely unsophisticated, they see someone offering a discount they don't question it. (Recently these scam artists had to change up their fine print so it's easier to read due to lawsuits in other states.)

The worst thing is it's semi-reputable companies destroying their brands for the sake of getting $10 a month charges out of grandma's checking account. I mean Barnes and Nobel? I used to work for them, I can't believe they've sunk this low.

Ventrue? (1, Funny)

Anonymous Coward | more than 4 years ago | (#31034200)

From TFA:

The three discount companies in question are Webloyalty, Affinion/Trilegiant and Vertrue.

Well, there you go. Anyone dumb enough to accept a discount from an ancient lineage of aristocratic vampires deserves what they get.

Wait... oh, Vertrue. Oops. Never mind.

No law? (0)

Anonymous Coward | more than 4 years ago | (#31034682)

What do you mean there's no law against it? This is called fraud, isn't it?

List of sites that do this (1)

TechwoIf (1004763) | more than 4 years ago | (#31034914)

I like to see a website set up that lists sites that do this practice. Hopefully some developer can make a plugin that warn or even block this for firefox and other browsers.

My wife got scammed by Joann.com / Webloyalty (2, Interesting)

zero_out (1705074) | more than 4 years ago | (#31035160)

My wife got scammed 4 1/2 years ago when shopping at Joann.com, which is the web store for Jo-Ann fabrics and crafts, a major national chain. At the end of her purchase, she was offered a $10 coupon, and only had to give her email address. She gave the address of an account she uses for things that might generate a lot of spam. She never received the email containing any coupon information, but Webloyalty started charging our CC $10/month. After the second month, we caught on, and contacted them about it.

Long story, made short, even though there was nothing informing her about this, the simple act of providing an email address (any, even a bogus one) was interpreted as permission for Joann.com to give our CC info to Webloyalty. They refused to give our money back, and Joann.com only responded by saying "enjoy your coupon," which she never did receive. She doesn't shop there anymore, and neither does the majority of her circle of friends.

At least we only had $20 stolen from us. It could have been worse.

Re:My wife got scammed by Joann.com / Webloyalty (1)

HTH NE1 (675604) | more than 4 years ago | (#31036974)

Leo Laporte (of The Screensavers, Call For Help, and now the TWiT Network) reported on this months ago on multiple podcasts, I'm sure including the Security Now podcast. And yes, even if you think you're being smart by giving a fake e-mail address, it doesn't matter since the site you were on is handing the billing information over to this other site (and gets paid for the referral).

Don't try to be clever on-line after you've just given someone your credit card number. The site coming up to you saying, "I see you just spent some money. Can I have some too?" is not just some panhandler you can easily deceive or ignore. Pay attention: it may be opt-out and thus not even safe to kill the browser to avoid communicating anything to the extra unwanted service vendor.

Re:My wife got scammed by Joann.com / Webloyalty (0)

Anonymous Coward | more than 4 years ago | (#31037582)

You should have called your credit card company and demanded a chargeback for the $20.

OT, but a co-worker of mine went to work for Webloyalty and left after a few months. She was so excited to move from what she thought was a bad situation, but she ended up in a worse situation.

campaigning (0)

Anonymous Coward | more than 4 years ago | (#31036930)

He's just running for governor.

Where do New York politicians get the idea that if they can become governor or mayor of New York City, they're shoo-ins for presidential nominations?

So... (1)

fulldecent (598482) | more than 4 years ago | (#31037028)

I don't see any problem in this, actually.

Sign me up for as much stuff as you want. I'll keep whatever you send me and reverse charges for the rest. I don't even mind the inconvenience, because I know that Visa will charge the merchant a fee and if enough people have done it then they will increase the cost of transactions.

Buyers are protected with Visa, what part of that don't you understand?

Happened to Me (0)

Anonymous Coward | more than 4 years ago | (#31037284)

Something similar to this happened to me with Gamestop. I purchased a DS game from their online store and a month later I was having money withdrawn for a subscription service, through one of Gamestop's third party affiliates, that I never purchased or agreed to.

After calling and canceling the 'phantom subscription' they promptly returned my money, but they knew damn well I would never buy from them again.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?