Evan Schuman's StorefrontBacktalk

L.L.Bean will let online customers complete a purchase with only a payment-card number and expiration date—no name, billing address match or other authentication required. A number-and-expiration-date-only policy for card-not-present transactions could be a huge problem today: With huge numbers of consumers walking around with contactless payment cards in their wallets, thieves can brush up against purses and backsides in any crowd and collect card data automatically.

Contactless backers have always pooh-poohed this as a security threat, pointing out that customer names, security codes and other authentication information isn’t transmitted by the cards. But if retailers are only relying on numbers and expiration dates, with one contactless grab—or one well aimed digital picture snap from a mobile—thieves get all they need.

And although the E-tailer’s customer-service department insists that card numbers with the wrong name attached should be rejected, a simple experiment made it clear that at least some transactions are approved that way. (Two out of two media tests had transactions approved and shipped.) If it had been fraudulent, it would have been up to the payment-card holder to notice, complain and get the charge reversed.

L.L.Bean did not respond when we described the problem by E-mail. That’s troubling, too. There could be a strategy behind this approach—for example, that the company has decided it’s willing to take the loss for what it calculates to be a small number of low-value fraudulent purchases that it doesn’t catch. But without an explanation, it’s impossible to say whether it’s a policy or a security hole.

The point here is clearly not that L.L.Bean is less secure than other chains. Indeed, the significance of this situation is that many other chains have similar security holes. It may be against policy—as it is with L.L.Bean—and it may be against how customer service is trained, but it happens.

For more than five years, payment vendors have been arguing that the data leaks created by contactless cards are not a concern, because they generate insufficient information to make a transaction with a major E-tailer.

Our experiment began after we received a tip that a purchase would go through on LLBean.com with only a card number and date. The editor who placed the order used his own card number and expiration date, but used an address that was in no way associated with the credit card used (even the ZIP code was different). The name used for the order had the same initials as the card holder, but couldn’t have been mistaken for the name on the card account.

The E-Commerce site’s system accepted the order for an under-$25 item with the valid card number and non-matching name and address. Within a few minutes, an initial confirmation arrived at the Gmail address given with the order. Less than 90 minutes after that, another confirmation arrived with an order number and word that the order was being processed. More than a day later, a third E-mail message arrived, confirming that the order had been shipped. The payment card was charged on the day of the order.

During the long gap between getting an order number and getting shipping confirmation, we called customer service and inquired about the order by order number. We expressed surprise that the name was wrong, muttered that it was because someone else had actually placed the order for us, and corrected the name—but not the address.

The customer-service rep told us she could correct the name in the system, but she couldn’t stop the order because the package was “already on the truck.” When we expressed surprise that the order would go through with a name and address that didn’t match the card, the rep said, “I’m not sure why it went through. It shouldn’t have.”

That’s as much of a response as we were able to get from the retailer.