There’s no doubt that credit cards have overtaken other forms of payment, especially for online transactions. Unfortunately, many sites that accept credit cards have payment systems that have security flaws in them, not the least of which include storing the credit card information. This is supposed to make it easier for repeat customers – lower the barrier to entering payment information and it will make it easier to buy something next time. In reality, it just provides another vector for attack.
My credit card has been replaced 3 times in the past year and a half, and every step has been done incorrectly.
The first misstep is how I find out about it – by failing to make a purchase, usually at a very inconvenient time. The credit card company has at least 3 different ways to contact me, some extremely expedient, but they don’t use them. Instead, they require a failure and a subsequent angry call from me.
The second misstep is that they need to send me a replacement card through express mail. Honestly, they could have already sent the replacement at the time of failure.
The third and most important misstep is that every time this happens, I ask what the cause was. Who was responsible for causing this inconvenience to me? I have been told every time that my card issuer has not been informed and they can’t tell me. The problem here is that this offers me no recourse – all that can happen is that I have to go through the first two missteps repeatedly.
The reason why this information is not provided is two-fold. First, the companies that are responsible are typically big targets. They think that it would be marketing suicide if the world found out that their data was compromised. Second, the companies are big enough to grab the credit card companies by the short and curlies to require them to keep it quiet.
Hiding a failure in data security makes the problem worse, not better.
Instead, what should happen is that the companies should own their mistakes. Publish the cause, publish the process by which it will be fixed, publish the progress, publish how that class of error will be prevented in the future.
Hiding the scapegoat also is a break in the free market. Without the information, I don’t have the agency to make a wise buying decision. Should I eschew credit at this establishment? Should I use paypal? Should I use virtual credit card numbers? Should I decline to create an account, but just use a guest checkout? Should I avoid the establishment until it has a fix in place?
Coding is hard, I get that. It’s been my profession for most of my adult life. I’ve made my share of bugs and mistakes. I’ve found that the best way to handle any of the issues has been to be honest and up front about it; to understand the problem fully and propose fixes. Hiding the problem – even with a fix – is sub-optimal.