Saturday, November 26, 2011

How $1,100 in Fraudulent Charges Encouraged Me

I was recently surprised by a "please see attendant" message on the gas pump after swiping my debit card. What the...? I had just used it for lunch the day before. I went home, checked my online activity and everything looked fine. My bank was closed for Veteran's Day so I couldn't call anyone to figure out what was going on.

The next day it was all too clear what had happened.

22 transactions from an iTunes store in Luxembourg for $99.99 each along with one for $1 were all pending on my account. I have to pause a moment and tell you how thankful I am for having worked for and learned from Dave Ramsey. We spent years paying down debt and building an emergency fund so I can honestly say my wife and I felt no stress at all in that moment. For 90% of my life, seeing $2,200 of pending transactions would have caused a major freak out. Financial peace is a real thing and it's awesome.

Ok, back to the story...

First thing Monday morning I called the bank, who directed me to call Apple, who said they need a charge back request, which can't happen until the transactions actually post to the account. By Tuesday about $1,100 worth of transactions cleared and the rest were rejected. Wednesday afternoon was spent at the bank. After almost an inch of paperwork and the police report I had to file just to get the process started, I finally had a charge back in process (the money was refunded less than a week later).

A week or so later, I got an email from winelibrary.com saying their site had been hacked and payment card information was compromised. Well there you go.

So how could this experience possibly be an encouragement to me?

I was encouraged because it reminded me why I care so much about, and have spent years of my life working on, security. At FoxyCart.com, we're almost fanatical about it. We spend a large portion of our revenue constantly improving our systems and ensuring we're with one of the most secure hosting facilities available. We've done extensive penetration testing and we're finishing up our audit (last week) to become a PCI Level 1 Service Provider. Are we invincible? No. No one is. But we've spent years and more money than I want to say taking this issue very, very seriously.

If you run a business that processes payment information (or you're thinking of starting one), please, do yourself a favor and read our wiki page about PCI DSS. If you don't treat this seriously, it can destroy your business. The fines alone can be hundreds of thousands of dollars, not to mention the damage it does to your brand and your reputation.

I'm not mad at Gary Vaynerchuck or at Wine Library. Their staff is going through hell right now and they are doing a great job, including a personal phone call I received after replying to their email. What I am upset about is that this didn't need to happen. They are good at wine. It's what they do. They should have left the e-commerce security to professionals because it's what we do. Having an in house team wasn't enough in this case.

If you're building an online business, please do your homework. Know the full costs and risks involved with using a hosted or self hosted solution. If you don't use FoxyCart, find another secure hosted solution or use tokenization so payment card data is never stored (which, I'm happy to say, Wine Library's new website takes advantage of). Another option is to offload everything to PayPal or Google Checkout. Don't take these risks on yourself unless you have a team of people dedicated to security.

I now have personal experience with the drama created when a payment system isn't as secure as it should be. It's really frustrating. I'm encouraged because I believe the business we've built will spare hundreds of thousands of people from experiencing what I went through.

Your customers deserve to trust you with their payment information. Don't let them down.

5 comments:

Kasey Lawrence said...

Having an emergency fund in place really saves the day doesn't it? We have never had to use it but this is a reminder we are always one moment away to.

Thank you for investing in security with foxycart. Everything is getting hacked these days. I haven't purchased anything on playstation network since they got hacked. If I ever have a need for a system like foxycart it will be my first choice. Keep it up!

Kase

Kevin Ward said...

Thanks Luke

Kasey Lawrence said...

Having an emergency fund in place really saves the day doesn't it? We have never had to use it but this is a reminder we are always one moment away to.

Thank you for investing in security with foxycart. Everything is getting hacked these days. I haven't purchased anything on playstation network since they got hacked. If I ever have a need for a system like foxycart it will be my first choice. Keep it up!

Kase

Luke Stokes said...

Thanks for stopping by, Kevin. I hope your project(s) are going well.

Luke Stokes said...

Thanks Kase! Having an emergency fund changes how we approach life because underlying stress is gone. Without it, the paycheck to paycheck mentality steals from our joy and creativity in ways we don't even realize.

Thanks for being so encouraging! We have a huge vision for where FoxyCart is going so we'll be keeping it up for sure.