This is page 2 of:

Amazon Accused Of Taking Payment Verification Data And Using It To Access Public Records

October 19th, 2011

Without suggesting that Amazon actually did this—and it’s almost a certainty that this case will get quietly settled long before any Amazon executive has to take a deposition and answer these very delicate questions—the CRM possibilities are quite delicious. As noted earlier, the accusations are firm that the information revealed came from public records. The only purpose of the data from the payment verifications was to know which public records to seek.

Given that public records, by definition, are free to all, there is no legal problem with Amazon or anyone else disclosing what is in them. The tricky part is what lawyers call the fruit of the poisonous tree. If Amazon indeed had no realistic chance of searching that record without using verification data, this gets complicated. The payment-card numbers are restricted, but the verification data is less clear. Given that Amazon isn’t accused of publishing that data, but instead data from a public file, this might open a new window into data-mining options.

Please keep in mind that at least one state—California—has already started trying to prevent this sort of effort with the Song-Beverly Credit Card Act of 1971, which expressly makes collecting information needed for a credit-card transaction and then using it for marketing illegal. How far this forces retailers to act, even in California, is another issue.

What if an anonymous customer uses a credit card to make a purchase. Using the address and the username, you are able to access Facebook and LinkedIn public posts and then start displaying highly targeted products. E-mail could violate SPAM rules, but if you merely change the pages she/he visits, would that be problematic?

If we assume—solely for the purpose of discussion—that Amazon engaged in the accused conduct, it would have never been detected had its unit not posted the found information on a public site. In the course of its E-tail work—and the course of retail functions by all major chains—that data would never have normally come to light.

I had an accountant years ago who would typically answer questions like “Is filing that type of deduction legal?” by saying “Let them find it.” (It’s hard to not like an accountant like that, but the IRS might take a different view.) Just because something isn’t likely to be discovered doesn’t make it right. More to the point, such matters do have a tendency of eventually being discovered, especially given the tendency of employees to move from one chain to a direct competitor.

“Discovered,” though, presupposes that it’s somehow wrong. Is it? There are clearly two definitions of wrong. One is legal. But the second is perception from the perspective of your customers. Legalities aside, will your customers think it’s wrong? Or, even more basic, will they simply not like it and take their business elsewhere?


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.