Swiping cards save details
■ Consumer not even notified because of Amazon’s default opt-in feature
Getting your credit/debit card swiped at your doorstep to pay for products purchased online may be convenient but it will automatically save your card details to the online account without your explicit consent.
If a user pays for someone else’s cash-on-delivery package, this card will be linked to the other person’s account and the owner of the card will not be notified and cannot delete it either.
This is because Amazon puts a default opt-in feature to store card details and puts the obligation on the user to opt out.
Sahana Prabhakar received a text message that said, “We wish to save your card ending XXXX to Amazon account used to order a product.” Even though Amazon provided a link for her to opt out from having the card details saved, Ms Prabhakar asked the company on twitter, “Who gave you permission to store my card details in the first? If I mindlessly ignore the text message you’ll assume I've consented for you to store my card number won’t you? (sic)”.
Netizens have started questioning Amazon’s storing their card details and have expressed their apprehensions about the card-on-delivery option.
“I paid for some cash on delivery transactions using a card for a colleague when he was out of the office and my card details were saved to his account. Amazon always saves credit card details, but swiping for a friend also saved my credit card details to his account. I was informed by my colleague for whom I swiped my card in his absence,
that my details had been saved,” said Anivar Aravind.
Not wanting card details saved online is because customers do not
want to share these details with an e-commerce company. Mswipe is the payment gateway for Amazon and the POS machine of the firm is
used for transactions.
Internet researcher Kingsly John said, “If we want to share card details with them, we wouldn’t be swiping our cards in the first place. The payment gateway mswipe is compromising the security of our cards by sharing them with your customers (amazon) (sic).”
Amazon can collect the card details without explicitly informing the user if it is Payment Card Industry Data Security Standard (PCI DSS). PCI DSS is a set of security standards designed to ensure that all companies that accept, process, store or transmit credit card information, maintain a secure environment. It may be mentioned here that in 2012 Flipkart came under scrutiny for saving credit card details by default and asking users to manually optout. However, based on the feedback from customers on various platforms, Flipkart retired the feature.
An independent security researcher Srinivas Kodali says it is common for card details to be passed on to various stakeholders in banking by merchants or POS. “The onus is on the cardholder to protect oneself as he/ she is in charge of it, because the companies often comply with PCI DSS certification.”
Experts opine that considering the number of ecommerce frauds where there is actual theft of money, informed consent needs to be sought.
Internet researcher P. Srikanth, said, “Most companies usually store only a token linked to the card and not the actual card number itself. Usually, permission for storing the card is obtained with consent from user and generally cards swiped on PoS machines shouldn’t give merchants the ability to store card details as tokens.”