Duplicate Debit Debacle Hits Best Buy, Macys. Who’s Next?

Written by Evan Schuman and Fred J. Aun
March 18th, 2009

Following a December glitch at Macys that saw 8,000 customers double- and tripled charged for debit transactions comes word of an eerily similar triple charge glitch at Best Buy this month.

In both cases, the retailers initially painted the problems as isolated incidents. In both cases, the retailers thought initial debit card swipes didn’t work and asked the customer to try again, sometimes twice more. And in both cases, the banks removed money from the consumer’s bank account equivalent to two and three times the price of the product.

Could these be coincidences? Might they indeed be isolated debit card incidents? Absolutely. But this also might be an initial heads up that the debit card system relied on by major retailers today has inherent flaws. What happened, with both Macys and Best Buy, with software specifically designed to look for and prevent these kinds of multiple identical charges? What about the systems at the card processors and the banks?

The most frightening part about debit card transactions today is that they subject retailers to a debit double whammy. Debit transactions are exponentially more delicate—and more prone to glitching—than their credit card counterparts. At the same time, an error with a debit transaction can deliver an order of magnitude more damage, potentially cleaning out a customer’s bank account and causing them to unknowingly bounce checks to everyone they’re trying to pay. Few IT glitches has the potential to get a loyal customer in trouble with the police, but debit card glitches have that distinction.

How frightening is it that the transaction type that can inflict the most damage has the weakest failsafe? How weak in fact are those safeguards?

“Everything has to go perfectly on a PIN debit in order for it to work and all the actors have to do their job correctly, from the issuer to the acquirer and any stations in the middle,” said payment systems specialist Andy Orrock, COO of On-Line Strategies. “You’ve got gateways and a regional debit processor. So, for a transaction to go from Best Buy, there were most probably four institutions involved, the acquirer, the acquirer’s gateway, the regional debit network and the issuer. All the message exchanges have to happen properly.”

Mississippi Debit Burning

It’s not clear how many customers were impacted by the Best Buy debit situation, but one Mississippi man provided documentation of a $300 microwave oven that was charged three times, wiping out his bank account and causing quite a few bounced checks and related problems. Best Buy has acknowledged “errors” that caused Jackson, MS, resident Myreon Williams’ checking account to slip nearly $1,000 in the red, said Best Buy Spokesperson Jill Nezworski, but the retailer has been unwilling to provide specific details explaining why its payment system allowed the triple charges to take place.

When Williams’ debit card was first swiped, the system said he’d exceeded his daily limit but the transaction was apparently approved anyway. The message, which was unrecognized by the cashier, seemed to be little more than an FYI note. One problem was that no receipt was printed, which is what prompted the cashier to conclude the mysterious message meant the transaction had been rejected. According to the customer’s bank statement—a copy of which was provided to StorefrontBacktalk–that transaction was sufficiently accepted so that the bank account was debited.

Williams was then asked to re-enter his PIN and to re-swipe his card. The POS then spit out a piece of paper which the cashier kept, Williams said, and the cashier wouldn’t let Williams see what it said. He said the cashier told him he needed to call for authorization. Apparently getting the authorization, the cashier asked Williams to swipe the card a third time, according to Williams, who said he was then given a receipt and allowed to leave with the microwave.

The next day, Williams logged onto his online banking page and was shocked to see three charges from Best Buy for $299.59—the exact price of the microwave oven–plus a charge of $300 listed as “931240 POS PRE AUTH CREDIT CARD MERCHANT UNKNOWN US.”

“We stand by our original statement and don’t want to speculate further,” said Best Buy’s Nezworski via E-mail. Unfortunately, that original statement doesn’t say much: “Best Buy regrets that we inconvenienced our customer with the authorizations on his account. We have systems in place to prevent this from occurring but it does appear that an error occurred. It is very rare that we see this type of difficulty, and you can be assured that we will work with our customer to make this right.”


3 Comments | Read Duplicate Debit Debacle Hits Best Buy, Macys. Who’s Next?

  1. Greg Patrick Says:

    When you swipe your swipe your card. Ask for an error message, call your bank before swiping your card again. If you are going to use a debit card, do not write checks.

  2. Terry Bouvier Says:

    Almost all banks/transaction processors in the world have the inherent flaw that caused the scenario described above. They approve the credit/debit transaction and then pass this message to the POS and then assume they’ve done their part and all is well. There are some additional checks behind the scenes to determine if the message was successfully received, but there is still a small window of opportunity for failure.
    HSBC is the only bank I’ve seen whereby they require the POS system to respond with a message stating “Yes, I’ve received your approval message and here is the approval code you just sent me which proves I actually received your message – all is well”. If the bank does not receive this message within a certain time, it will assume all was not well and will reverse the last transaction.
    The chance of failure in this scenario is about the same as in the scenario at Best Buy and Macy’s however, the liability is shifted from the consumer to the retailer. Instead of the customer being double/triple charged, it is possible they walk out with free merchandise. This of course, raises the argument is it better to annoy a loyal customer (who will notice being overcharged) or take the hit where it might not be noticed (unless the retailer is diligently monitoring their suspense/settlement files). Most retailers prefer the former since they know they can make amends. If a customer walks away with free merchandise, it may be impossible to ever collect that money.
    The bottom line – monitor your bank statements regularly and refute all questionable transactions. The onus is on the retailer to prove you authorized the charges.

  3. Bruce Daughtry Says:

    Interesting that this double posting issue with debit cards keeps happening. My daughter’s debit card was double billed by AT&T when she bought the iPhone 3G. Apparently only debit cards were affected, according to AT&T, and happened to a lot of people.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.