The Art of Tech

The process of approving a credit card transaction involves the merchant providing the card processing system information that I submitted. This includes my name and both the billing and (if the merchant chooses to do it) the shipping addresses. If they do not match up or the shipping address is not listed with the bank as an authorized ship-to address on the credit card account, then the merchant will not get an approval for the transaction. Merchants are not permitted to verify phone numbers via the electronic submission methods and are, in fact, not required to even collect any phone numbers.

All entities which issue credit cards (more generally, those who issue "credit instruments") are required to maintain a verification phone line for merchants to use in the event of complications or failures in the normally employed authentication method(s). So, it turns out that Crutchfield as a matter of their own corporate policy will always phone your bank to see if all the phone numbers you provided are on the account. They have to do it this way, since they are not allowed (there is no way to) to submit phone numbers for verification electronically. Since no other merchant with whom I have done business has ever done this, I never bothered to provide the bank with the extra phone numbers. They only had the house number and my wife's old place of work.

After talking to the bank on Friday, I told Crutchfield that they should be able to verify the phone numbers. They called back late Saturday afternoon and told me that they still could not verify the phone numbers. From the next conversation with the bank, I discovered that the new computer system (which had just been put in a week before) used by the merchant verification call center at the bank will only show them the one main phone number and no others. So I phoned Crutchfield and told them the old number that they could not use to get in touch with me, but that would verify just fine.

Crutchfield upgraded the shipping for free to ensure that Stuart and I would have our headphones by the end of the week. They should ship out on Monday.

To summarize the security implications here, Crutchfield has implemented a "security" process as a matter of policy that fails. It's not surprising that it fails, since the credit card processing system was not designed to handle this extra mechanism (in fact, phone numbers are specifically excluded). In this instance, the extra process failed and caused delays in shipping that were grossly exacerbated by their further delays in contacting me regarding the problem.

This incident was a security failure because:

* In the end, they required false information in order to get past their "safeguard".
* It took three (3) days longer.
* It cost them extra money, both in the time wasted by their personnel in conversing with me & the bank and for "making it right" with the customer by upgrading the shipping.
* I would guess that they spent more than their profit margin, resulting in a net loss for the transaction.
* It frustrated the customer, making it less likely that I would do business with them again.
* It damaged the customer's faith in their business.
* It damaged the customer's faith in their security