The next day it was all too clear what had happened.
22 transactions from an iTunes store in Luxembourg for $99.99 each along with one for $1 were all pending on my account. I have to pause a moment and tell you how thankful I am for having worked for and learned from Dave Ramsey. We spent years paying down debt and building an emergency fund so I can honestly say my wife and I felt no stress at all in that moment. For 90% of my life, seeing $2,200 of pending transactions would have caused a major freak out. Financial peace is a real thing and it's awesome.
Ok, back to the story...
First thing Monday morning I called the bank, who directed me to call Apple, who said they need a charge back request, which can't happen until the transactions actually post to the account. By Tuesday about $1,100 worth of transactions cleared and the rest were rejected. Wednesday afternoon was spent at the bank. After almost an inch of paperwork and the police report I had to file just to get the process started, I finally had a charge back in process (the money was refunded less than a week later).
A week or so later, I got an email from winelibrary.com saying their site had been hacked and payment card information was compromised. Well there you go.
So how could this experience possibly be an encouragement to me?
If you run a business that processes payment information (or you're thinking of starting one), please, do yourself a favor and read our wiki page about PCI DSS. If you don't treat this seriously, it can destroy your business. The fines alone can be hundreds of thousands of dollars, not to mention the damage it does to your brand and your reputation.
I'm not mad at Gary Vaynerchuck or at Wine Library. Their staff is going through hell right now and they are doing a great job, including a personal phone call I received after replying to their email. What I am upset about is that this didn't need to happen. They are good at wine. It's what they do. They should have left the e-commerce security to professionals because it's what we do. Having an in house team wasn't enough in this case.
If you're building an online business, please do your homework. Know the full costs and risks involved with using a hosted or self hosted solution. If you don't use FoxyCart, find another secure hosted solution or use tokenization so payment card data is never stored (which, I'm happy to say, Wine Library's new website takes advantage of). Another option is to offload everything to PayPal or Google Checkout. Don't take these risks on yourself unless you have a team of people dedicated to security.
I now have personal experience with the drama created when a payment system isn't as secure as it should be. It's really frustrating. I'm encouraged because I believe the business we've built will spare hundreds of thousands of people from experiencing what I went through.
Your customers deserve to trust you with their payment information. Don't let them down.