Credit Card (in)Security

My girlfriend is a partner in a small print and design business. As such, she has a company credit card – but it usually only sees service to buy stamps and other minor things.

She’s finally decided that it’s time to replace some of the computers in the company and, being the designery types that they are, Macs were the order of the day. First to go was her ageing PowerBook, replaced by a shiny new MacBook Pro. We pointed a browser at Apple’s online store, loaded up the basket, and tried to check out.

The credit card was declined.

After getting past the usual defensive bluster that overcomes people when they think their creditworthiness is being questioned, she conceded that it might possibly make sense that an expensive laptop purchase on a card that’s usually used for stamps might have triggered some alarms. She called the credit card company to sort it out.

“It’s been flagged as possibly being used fraudulently,” they said.

“Do you mean the purchase I just tried to make, or has it been used fraudulently before then?” she enquired.

“I can’t see anything before then – but I’ll cancel the card and send a new one out to you, just in case.”

“That doesn’t really help me right now. Can you at least let the current purchase go through?”

“Well I’ll need to ensure that you’re really the owner of the card. I’ll need you to confirm your history by identifying a purchase that’s been made with it…”

Not particularly good security, but the chances of a casual card thief knowing that she bought stamps last Thursday are slim, right? Except that the person at the credit card company didn’t want her to name a date and purchase – that would be far too secure…

“Have you just tried to buy something from the Apple Store?”

“Erm… yes.”

“Okay then. I can unlock the card for you to make the purchase now, then I’ll cancel it and get a new one sent out.”

This beggars belief. If they think the card is being used fraudulently enough to cancel it, then why let the laptop purchase go through? If they think it’s safe enough to let that go through, why cancel the card? And why, oh why, oh why does the transaction that was stopped count as a good enough example of the customer’s history for them to conclude that the person on the phone is genuinely the card holder?