Questions Surround Some 8,000 Macy’s Debit Cards That Got Charged Repeatedly

Written by Fred J. Aun
January 3rd, 2009

When Macy’s distributed a very cryptic statement on December 23 saying that “some” debit card customers had been charged “multiple” debits for single transactions, it went virtually unnoticed.

Much of that had to do with the very quiet way Macy’s shared that knowledge—by E-mailing it to a handful of reporters, many of whom were on vacation. Unlike the typical way Macy’s—and others—make statements, nothing was issued to any of the major news release wires nor was the statement placed on the retailer’s own news release page. However, it was ideally handled if a company wants to say that it “announced” something but have no one know about it.

It wasn’t until January 2, when an Associated Press reporter saw the E-mail and filed a report, that coverage commenced. But the normally curious media that covered it didn’t seem curious about a plethora of odd things about the statement.

For example, retailers have specific systems designed to catch multiple identical transactions from the same account. Why, then, didn’t the Macy’s system catch anything until some accounts were charged two and even three times?

Here’s what the Macy’s statement said, in its entirety: “Macy’s had a system issue on Saturday, December 20 from 1-2:45 PM at stores in Macy’s Central and East divisions which may have caused multiple debits to some customers’ checking accounts. The problem has been identified and corrected. Macy’s has communicated with customers’ banks. The banks will credit customers’ checking accounts.”

Various Macy’s spokespeople couldn’t—or wouldn’t—address the most basic questions, even something as seemingly mundane as “Macy’s Central and Macy’s East are in different timezones. What timezone is being used with the 1-2:45 PM reference?” And, “did this impact in-store only or were any online debit transactions hit?”

One Macy’s manager familiar with the incident said that 8,000 transactions—and presumably about 8,000 customers, given the relatively short time span—were impacted.

That manager also said it involved a Macy’s payment processor and that the connection with the processor “was experiencing a slowdown that day due to traffic or systems issues. When that slowdown occurred, that’s when the double charges occurred. Once we identified the systems problem, we went in and corrected the slowdown and that stopped the double charging.”

Questions about how a slowdown could cause multiple billings were initially unanswered. Could it have been either software or an employee who, due to the slowdown, assumed transactions hadn’t gone through and tried putting them through again, thereby causing the multiple charges?

The same Macy’s manager also said that not only was the situation limited to specific geographies but it wasn’t even every store within those impacted geographies. It wasn’t clear why the debit card issues impacted only select stores, unless it was simply that not every store in those regions during that timeframe had any debit charges. That’s certainly possible, although a Macy’s is likely to be seeing a lot of transactions the Saturday before Christmas.


2 Comments | Read Questions Surround Some 8,000 Macy’s Debit Cards That Got Charged Repeatedly

  1. D'Anne Hotchkiss Says:

    Evan, being the cynical person you are, I’m surprised that you didn’t speculate whether it was 1 p.m. Central to 2:45 Eastern (making the actual time an hour longer that it would first appear).

  2. Nancy Torosian Says:

    If consumers had the Visa debit card that my company represents, they would NEVER experience any breach. We have the only card of any kind that can be ‘turned on’ and ‘turned off.’ My Visa debit card is always OFF (or disabled) until I turn it on — all via my cell phone. Even if you had my card number and PIN, you could never access the funds on my debit card. As a matter of fact, I was in a very long line at a Macy’s counter when the salesperson swiped my card that I had authorized for one transaction only. There was a problem with an incorrect price, and she asked me if I wanted the item anyway. I quickly agreed (with the long line), and she swiped my card again. Of course, it was denied and a message instantly appeared on my cell phone screen advising me of the attempt on my card. I simply called the programmed number in my cell phone, and turned my card ‘on’ in seconds, and the authorized purchase was completed. Everyone in line wanted to know how to obtain such a secure debit card — Please go to my website: and apply!


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.