James.Cridland.net

James Cridland's blog

Where radio and new platforms collide. With beer.

« links for 2007-01-21 | Blog index | Time to get real »

When a perfectly valid credit card won’t work

Posted on Sunday, January 21st, 2007 at 8:04pm. #

Got a credit card? Think it’s still valid for a few months? Think again.

One of my credit cards expires in February. I want to book a hotel stay in June. Expedia are nice people, so they take my credit card as deposit, but won’t take any money out of it until June.

In the past, this has worked just fine. My credit card’s main details don’t change - so, my bank informs me, it’s still just fine. As long as the payment is authorised in January, apparently it will still be honoured later by the bank. (Doesn’t make much sense to me, but apparently that’s how it works).

Anyway: all this appears to have changed thanks to the CVV2 or CVC, that funky little three-number code printed on the back of your credit card. This number is calculated with, among other things, the expiry date. Internet merchants need the CVV2 code to process your payment. And, as you’ll already have divined, the CVV2 code changes when your expiry date changes.

Anyway: what this basically appears to mean is that my VISA card, expiring in just 40 days, is useless for buying travel in 50 days, let alone June.

The bank says that my card should work just fine: but given that an invalid CVV2 code heightens the possibility of fraud, Expedia certainly won’t accept it. So, I asked the bank for a new card, so that I could book my holiday. And the bank refused to send me one.

Catch 22. Expedia won’t accept my card since it expires soon; the bank won’t send me a new one until it expires; leaving the customer in an impossible position: unable to pay, even though they have a perfectly valid card.

Needless to say, I’ve reminded the bank who is the customer here, and requested a new card pronto before I cancel the thing. They’ve relented, and a new card is winging its way to me. But given the travel industry thrives on pre-bookings, is it really the best plan to make credit cards unusable nearing their expiry date?

If I were in charge, here’s what I’d do:

- give customers a special credit card for ‘customer not present’, with a customer-configurable limit for individual purchases, a CVV2 number, no chip’n'pin, and a customer-configurable credit limit. (Mine would ordinarily not allow purchases over £100, and have a total limit of £1,000.)
- replace these cards at least six months before expiry

- give customers a ‘customer present’ card, with chip’n'pin, and no CVV2 number, so that these cards would only work in-store.
- replace these cards as normal

This could dramatically cut down on fraud, since if you cloned my ‘in-store’ card, it wouldn’t work on the internet; and vice-versa… and it might mean that I could actually pay for my holiday instead of threatening my bank.

| Permalink | Comments RSS | Leave a response, or trackback.

9 comments

Kevin Cummings said at January 21st, 2007 at 9:17pm

I feel your pain, as they say. Last summer I was travelling in the Southwest U.S. and my credit card was locked because the computer had tagged it for suspected fraud. It had been used more often than usual and a goodly distance from my home. Duh! I was travelling.

I had to chat with a nice representative of the credit card company and verify my ID with the cashier before I was allowed to pay.

While I appreciate that that the computer was watching out for me, I could have done without the public humiliation of standing in a gas station and explaining myself publicly. You can hear the whole story on my podcast at http://shortcummingsaudio.libsyn.com/index.php?post_id=106432

Frankie Roberto said at January 21st, 2007 at 10:12pm

Seems odd that your bank wouldn’t give you a new card when you asked them. You could always have suggested that it was possible that someone had stolen your card details, and that you wanted a new card as a precaution (which is always what they advise anyway).

Frankie

James Cridland said at January 21st, 2007 at 10:25pm

Kevin: I’ve had this, too. Same bank, come to that.

Someone once told me to pay for something at the airport before you travel (so the bank can obviously track you). As a result, normally, I do. Has no effect. Even ringing the bank before I leave saying “I’m just about to spend a load of money in New York” doesn’t appear to make any difference.

In this particular case, I’d driven slowly to Italy and back, and they decided that they’d suspend my Maestro card on the second-last day; despite having a VISA card that even showed exactly what motorways I’d been using, and despite using the Maestro card on virtually every day of the journey. Intelligent checks? Pah.

Frankie: I agree, I could have lied. I prefer to tell the truth. In this case, I think I’ve discovered quite a major flaw in how CVV-enabled credit cards work.

James Cridland said at January 25th, 2007 at 11:29pm

—sent to my bank…

Sorry to press the point (in reply to the below), but it’s important to me.

It is now a major part of travel to book some months in advance to achieve the best rates; and a standard VISA card does offer some protection for travel purchases, so banks have encouraged their use in the past for this.

I tried to, on a valid VISA card (expiry 02/07), to book a hotel stay for July. The transaction was declined, because my card would not be valid at the time of travel. Since Expedia are required to validate the CVV2 number, which ‘relates to the individual card’, Expedia are unable to accept this card for any purchases for travel from 03/07 onwards (just six weeks time), through no fault of my own.

Your policy is to only send people a new card in the expiry month; indeed, you initially refused to send me a new card on request, claiming (incorrectly) that the purchase should be accepted by the retailer: even though there is a requirement for them to validate the CVV2 number. I’m grateful for the new card, but disappointed I had to ask again.

Your (or VISA’s) policy will result, every two years, with a credit card which I will not be able to use to book advance travel. I’m sure you understand that this is unacceptable: indeed, this policy requires me to get ANOTHER, non-(my bank), VISA card so that I have a valid usable VISA card at all times for booking travel.

I believe this is a valid and concerning point, and is an unintended consequence of the new(ish) CVV2 number. I don’t believe it’s your fault particularly - probably VISA’s - but I do hope I might be able to get this point to someone that might think about how not to irritate your customers every time a card needs replacing. Could you do that for me?

j


From: (my bank), Card Services

The cvv2 number relates to the individual card and confirms when authorisation is requested, that the customer has in their possesion a live and valid card.

Your current credit card does not expire any earlier but would be a security risk if you had more than one live card on the account and also the start from date would no longer be up to date.

Ian Morgan said at February 11th, 2007 at 5:07pm

Whilst I accept your points about travel, this type of thing has happened to me before when trying to check in for flights -I had the same card number but a new expiry date so at first BA wouldn’t take it at check in. I think however, the idea of TWO cards is overly complicated -many people really cannot be bothered to mess about setting their own limits and making sure they have the right card. Plus if it was for a service, i.e. a flight, when the card must be present at check in, it could cause all sorts of problems. It would also pose a problem when travelling abroad, merhcants would become confused over which cards could and couldn’t be used, and as many international retailers dont process international cards in “real time”, they would be accepting cc transactions that were invalid!!!

shina said at February 17th, 2007 at 12:22pm

i want to view you credit card no and the cvv

James Cridland said at February 17th, 2007 at 7:43pm

Okay, it’s 450 - hang on a minute…

Dave Cridland said at February 21st, 2007 at 1:38pm

The thing that strikes me is that, when you’re using the Internet to pay, especially, you do actually have a tremendously easy way for the banks, merchants, and customers to collude in a remarkably simple way.

Imagine for a moment that I’m in charge.

So, James, you go off to Expedia, and book a holiday. For payment details, you enter some form of username, let’s say “jamescridland459@gnatwest.co.uk” or something. Expedia then creates an invoice code, tallies up the amount, and does some magical lookups, and redirects you to some webpage with all the required details embedded in the URL. (There’s “stuff” to do this in the shape of NAPTR et al, as it happens, so this bit is absolutely not rocket science).

Now, you’re talking to the bank. You’ve got a shiny TLS certificate to prove it, too. You can authenticate yourself to the bank, just as you do for Internet Banking, and authorize the payment. Then you get passed back to Expedia, along with a shiny proof-of-authorization (signed by the bank), which allows them to claim payment. Or prove that it will arrive later, which is perhaps more useful.

Really, there’s no need for the credit card at all - which itself is only designed as a proof of ID. The magical numbers, supposedly forcing you to have possession of the card, aren’t needed anymore - in fact the card isn’t needed, just the account it represents.

tv brackets said at March 31st, 2008 at 4:19am

I’ve never thought this kind of impossible option could happen. I use my card regularly, but not too often on postponed payment. Probably the best way is to avoid such situation. I suppose the system in credit card services are so rigid and most likely it will be difficult to tweak by those who are in charge.

These are my personal views and not those of the BBC | Full disclosure | FAQ | Contact me | More Cridland stuff at www.cridland.netMade in the UK