Coyote Blog

I closed my BoA credit card account for exactly this reason. I was spending far too much time changing the cc number a couple of times a year for all of the auto pays I had set up for my business.

We asked repeatedly for the merchant information, and they repeatedly refused to provide it. We believe this is industry wide; the credit card companies don't want to alienate a merchant, especially when data breaches are often not really that serious, and the cancellation of the credit card is a precaution.

Things are getting complicated out there with the hidden readers attached to gas station pumps and the more mysterious phenomenon where a duplicate of your card is used. But I will give Wells Fargo credit where due because they do computer scans of purchase patterns. On vacation I have received calls checking on a recent non-local purchase and on at least two occasions they have caught several of these purchases made by a duplicate card.

My strangest experience was a thank you email from Macy's telling me that my new winter coat would arrive at an address in a South Chicago suburb ( I live in Indiana) so I notified Wells Fargo and got the transaction stopped and then I called Macy's credit department to advise them. I can tell you from the UPS notice that arrived later that Macy's didn't care enough to call UPS to stop delivery and the package was dropped on the front porch in Chicago five days later.

You are basically arguing that a data breach should cripple a business. I apologize in advance for my cynical view of humanity, but wouldn't that create a situation where one could rid themselves of a competitor by hacking them? Why don't you separate your personal corporate card by opening a separate account from your managers with a different Visa provider or even American Express?

I wonder if they'd answer questions as to whether the merchant was PCI-DSS certified at the time of the breach. I believe part of the theory is that merchants who are PCI certified get protection (and fines apparantly) regarding breaches whereas if you're not certified you get thrown to the wolves.

2 recommendations:

1. chase sapphire has amazing customer service. that said, for some reason, that card gets hacked once a year and someone winds up using a physical copy of it somewhere. i suspect that is because i use it as my card for random internet purchases. i think that's just the price of shopping.

2. get a second card and use it ONLY for accounts at places you trust (amazon, utilities, netflix, etc) i use an amex for that. then never use it anywhere else. this keeps it from getting stolen. i have been using the same one for 6 years with zero issues. the trick is to firewall it. that way, when your other card gets stolen, you do not need to change all your basic accounts.

also:

get samsung pay. it's amazing. you need a new samsung phone to use it, but it lets you store a card and use it anywhere from your phone. it actually creates a magnetic pulse that works with 95% of legacy readers. they do NOT need to be android or apple pay enabled.

this adds massive security as each transaction is done with a one time number. there is nothing useful to steal. it also makes replacing your card instant.

i can call chase, tell them there is fraud on my card, they will cancel it, send me a new one, and automatically replace the one on my phone. i will have a new, working card on my phone before the call ends. so, zero gap in usability.

the real question is why we are not moving to a one time number system online. i suspect it's fee arb.

if online fraud is 1% vs 0.25% for card present but you can charge a 3% fee vs 1%, of course visa loves it.

Many cards allow you to issue "virtual numbers" at will - you can generate a new credit card number for every vendor, all of which charge the same account.

I do not know how they handle these numbers being breached, but there's an obvious advantage here if they do it at all sanely.

I would suggest that you subscribe to KrebsOnSecurity.com, an investigative blog which regularly reveals the sources of data breaches, and HaveIBeenPwned.com, a service that allows you to find out if your information was breached. (HIBP belongs to Troy Hunt, a very good web site security expert from Australia. You may also want to read his blog, TroyHunt.com.)

Beyond that, all I can suggest is to use just one card, and check that account every couple of days (via the web) for unauthorized charges. Because no company or site is ever hack-proof.

Somewhat off topic, but since customer service is sometimes discussed on this blog, I wanted to share the remarkable [systems] service at amazon.com. If amazon can provide this kind of individual contact and service, any financial institution of respectable size should be able to do similarly: be it a refund, adjustment of accounts/replacement account numbers, multiple authorized users, or whatever.
Do note the last line of the amazon email notice.
***************************************************************************************
Hello,
We're writing to let you know we processed your refund of $0.49 for your Order xxxxxxxxx.
This refund is for the following item(s):
Item: [book title]
Quantity: 1
ASIN: xxxxxxxxxxxxxxxxxxxxxxx
Reason for refund: Pre-order price protection
Here's the breakdown of your refund for this item:
Item Refund: $0.45
Item Tax Refund: $0.04
We'll apply your refund to the following payment method(s):
Gift Card: $0.49
This amount has been credited.
The amount credited to your Gift Card balance should be automatically applied to your next eligible order on our website.
Have questions about our refund policy?
Visit our Help section for more information:
http://www.amazon.com/refunds
We look forward to seeing you again soon.
Sincerely,
Amazon.com
We're Building Earth's Most Customer-Centric Company

If this happens so much, you should probably start keeping a list of all the merchants that have your credit card number so you don't have to remember them all.

That is to say, it won't help with the basic problem any, but it keeps you from going past due because you forgot to update your credit card on someone's website.

Hmmm. Why in the world would you burden yourself with that inconvenience (using cash for all transactions)? The issue with credit card numbers being stolen is indeed quite common based on my experience, and once a year is about what I see. And this really pisses me off because of the inconvenience. And yet, I've never lost anything but the time it takes to deal with a new credit card number, and that's less inconvenient than trying to carry enough cash around (and, um, I guess avoid buying anything on the internet?).

Hoping ApplePay gets more ubiquitous, and actually is a solution to most of this fraud. My last breach was a week ago... my Fidelity Visa card got used to book an Interjet flight, with manual number entry in Mexico. I get a text every time there is a transaction, so I knew about it instantly. Not sure why I would bother, but I quickly reported it, and as a result I lose my number, and have to deal with a new one. Have no idea how the number was stolen, or if it was just a random guess, but I do think the bank could avoid this quite easily by rejecting charges from random locations I've never been to.

A while back I to was told by my bank that I needed a new card. When I went to get it I asked who was attacked and was told that they don't disclose that information.

Was going to write this, I second this. They may only know that a bunch of cards that they saw used in the same geographic location are all getting bogus charges all of a sudden, and they infer a breach.