ebay charging seller fees... to an expired credit card (and succeeding)?!

[Halcyon]

I'm one of these people who provide the bare minimum (or fabricated) details to on line services if they simply don't need to know personal information they are asking for (and I'll be the judge of what they need to know and what they don't).

Years ago when I started selling stuff on ebay, they essentially forced me to enter credit card information so that fees can be automatically debited, otherwise I couldn't sell anything.

Since then, the credit card details I provided have expired, I still pay my fees but I do so manually. I see no need for them to keep my credit card information on file, so I just haven't updated it.

I was notified of my last bill as normal via e-mail, but when I went to pay it, it seems they have already debited my credit card and the payment succeeded. What the!? I haven't given them the new expiry date, so where are they pulling this information from? I checked my account section, there is only the expired card listed and it's not coming from my Paypal account either.

Are they just incrementing the expiry year automatically in the hope that one of them is accepted? How is this legal?

[Rerouter]

I know that the way paypal pulls money from banks means they give you a grace amount for under $20 purchases, in other words banks are willing to allow you to go in to a small amount of debt for savings accounts. (Because they are sick of the backlash when a person is a dollar short once fees are added on)

I am going to assume there is a broken assumption at the bank where it verified the details, saw the balance was 0, and allowed one of these small debts without trying to charge the actual card. thus never checked the expiry.

This same behavior has happened on one of my local banks a few times now, but never tried it on an expired card. if you wanted to push it, see if it works on a future one.

[Halcyon]

I know that the way paypal pulls money from banks means they give you a grace amount for under $20 purchases, in other words banks are willing to allow you to go in to a small amount of debt for savings accounts. (Because they are sick of the backlash when a person is a dollar short once fees are added on)

I am going to assume there is a broken assumption at the bank where it verified the details, saw the balance was 0, and allowed one of these small debts without trying to charge the actual card. thus never checked the expiry.

This same behavior has happened on one of my local banks a few times now, but never tried it on an expired card. if you wanted to push it, see if it works on a future one.

If ebay provide an expired date to the banking system, it will just reject payment with a bank response code of "Card has expired", it's a hard and fast rule. The system doesn't just go "Oh, it's expired, but we'll let that one slip through because it's under a certain amount". This is completely different to banks honouring payments if it would cause the bank account go into negative balance.

[Rerouter]

I am making assumptions, up until 5 years ago, there where still some banks where you could send negative amounts to people on the same bank. I am assuming there may be a similar unexpected behavior with yours. an assumption they did not expect.

It could even be something along the lines of the account expiring with a positive balance.

Best way to get an answer would be to probably ring your bank, If it is a broken assumption they would likely want to know about it.

[vltr]

If the account and credit card number have not changed, it is possible that the bank did not validate the expiry date since it had already been shown in the past that you have a business connection with eBay and have authorized them to charge your card. 

[Halcyon]

If the account and credit card number have not changed, it is possible that the bank did not validate the expiry date since it had already been shown in the past that you have a business connection with eBay and have authorized them to charge your card.

I'll have to check that, but then what on earth is the point of expiry dates? I've posed the question to ebay directly, but I'll call my bank tomorrow and ask them to check the logs to see how the payment was honoured. The online banking system gives me some information (including the specific card number) but not the expiry that was used.

As far as I know, credit or debit transactions using a card number had to be accompanied by a valid expiry date otherwise the system doesn't honour payment. It's kind of a universal thing.

[eyiz]

As far as I know, credit or debit transactions using a card number had to be accompanied by a valid expiry date otherwise the system doesn't honour payment. It's kind of a universal thing.

They don't need expiry date. Only the card number. The expiry date is requested by merchants so that they can verify that you are the card holder. So, they ask for a number of pieces of info to keep on file to prove that they got that card number from you. Some ask for the 3 or 4 digit secret code at the back of the card too. Some merchants even ask for a photo copy of your driver's license. This is all to be sure it's your card. But, once they know you, only the card number matters. You'd have to change your card number, for them to be unable to make charges on the card. You can always call your bank and tell them you didn't "authorize" that particular payment. Then the bank would "then" ask them for more info. If they couldn't provide the new expiry, then the bank would reverse the charge. But, it's up to you to take the action. If you don't dispute it, the bank will think your previous agreement with the merchant is in tact, and the fact that there's a new expiry doesn't matter.

[hendorog]

IIRC credit card numbers change when the card is renewed, but at the bank all those numbers refer back to one 'base' number for that card.

So once they have the number they have the number...

[Halcyon]

IIRC credit card numbers change when the card is renewed, but at the bank all those numbers refer back to one 'base' number for that card.

So once they have the number they have the number...

My card number remains the same unless I either request a new card (before the expiry date of the current one), which I have had to do once because the card itself was physically wearing out and about to split into two or if I report a lost/stolen card. Only the CVV on the back and the expiry date changes when they send you a new card (every few years or so).

[hendorog]

IIRC credit card numbers change when the card is renewed, but at the bank all those numbers refer back to one 'base' number for that card.

So once they have the number they have the number...

My card number remains the same unless I either request a new card (before the expiry date of the current one), which I have had to do once because the card itself was physically wearing out and about to split into two or if I report a lost/stolen card. Only the CVV on the back and the expiry date changes when they send you a new card (every few years or so).

Yeah you are right, I think the situation I was referring to happened when I got a replacement card. The bank continues to use the base number and the replacement card with the new number is associated to the old base number.

[jh15]

How about an inactivated card being charged?

My wife and I use separate charge accounts to keep track of (or an eye on) things.

We have an LL Bean card a Maine store, visa I think, and we got charged 7K USD or so last month for airline tickets and other stuff.

This card was in my 'the husband" number and name, and in a drawer, never activated.

Wife spent an hour rectifying the problem. (not sure if full wave, bridge, etc).

Next bill we get more stuff. How do the bad guys charge on a non activated card?

[Brumby]

I was notified of my last bill as normal via e-mail, but when I went to pay it, it seems they have already debited my credit card and the payment succeeded. What the!? I haven't given them the new expiry date, so where are they pulling this information from? I checked my account section, there is only the expired card listed and it's not coming from my Paypal account either.

Are they just incrementing the expiry year automatically in the hope that one of them is accepted? How is this legal?

I worked for a bank when they introduced their own card.  I worked on that specific project, actually.  I learned some things about how the banks work - in practice.

All I will say is ... call your bank and ask them.

[Bud]

This card was in my 'the husband" number and name, and in a drawer, never activated.

Wife spent an hour rectifying the problem

How come your bank allowed your wife to make changes to your account? In Canada they even won't speak with anyone other than the account holder. I think you should be worried your wife has access to your account .

[eyiz]

IIRC credit card numbers change when the card is renewed, but at the bank all those numbers refer back to one 'base' number for that card.

So once they have the number they have the number...

I gave up all my credit cards years ago, for just that reason. I use only debit cards online today. They work almost exactly like credit cards, with one major exception. I have complete control over the credit line. No one can charge my card without my permission. I have to explicitly authorize the purchase by "funding" my card, before I buy. I typically keep a very low balance in the account, to prevent unauthorized transactions. Even so, there have been instances where unauthorized charges were attempted on the card. One time the unauthorized transaction succeeded, in debiting some small amount like $13 from the card. When I called my bank to dispute that transaction, they then informed me that there were a whole series of failed transactions just before that one. It seems someone tried to charge a few thousand dollars, then when that failed, they lowered the amount and tried again, and this went on for several transaction attempts until they got through with $13, which was close to what I had in the account at the time. The fact that they were "seeking" to find an amount that they could charge on the card itself, indicated fraud. So, the bank immediately reversed the charges, and issued me with a new card, with new number.

I discovered years ago, that some unscrupulous merchants would use their customer credit cards as a way to get a "quick loan" to fund their ongoing operations. This seemed to be a standard practice in internet service businesses. The first time this happened to me, was when I subscribed to an internet provider for dial-up "bronze" service, and some time later found my recurring monthly fees were "automatically" increased to "platinum member." At that time, I wasn't accustomed to getting unauthorized charges on my credit cards, so I used to just pay my credit card balance off every month without checking the items in detail. It was a few months before I found this out, and then it took another 6 months fighting with them, and my card company to get back my money. I figured that if they did this with their entire customer base, and claimed "computer error" they'd effectively get something like a 6 month loan or more, and some customers might not even notice.

After this type of thing became more common, I started to watch my monthly statements like a hawk. Today, with online access to card accounts, I watch the balance and transactions several times a month. The last time when that unauthorized charge of $13  appeared in my account, I caught it within 2 days, and reported it immediately. So, they can try it with debit cards too, but the way the debit card works, gives the card holder much more protection from unauthorized charges than credit cards.

With a credit card, the VISA or Mastercard extends credit to the card holder, and so the card holder has no control over who can charge that card, he then has to fight to get his money back, which takes time. With debit card, that problem goes away, for the most part, by judiciously increasing or decreasing the actual credit line available through funding and de-funding the card account on an "as needed" basis. So, even if the card details are stolen, it's still much harder for the unauthorized transactions to succeed.

Since I switched to debit cards, I have only had 1 unauthorized charge appear in the last 6 years. Previously, with my credit cards, every year I'd be disputing 2 or 3 unknown transactions that magically appeared on my card. So, I'd say things are much improved since I switched to PayPal and Debit Cards for all online purchases.

[rbm]

They don't need expiry date. Only the card number. The expiry date is requested by merchants so that they can verify that you are the card holder. So, they ask for a number of pieces of info to keep on file to prove that they got that card number from you. Some ask for the 3 or 4 digit secret code at the back of the card too. Some merchants even ask for a photo copy of your driver's license. This is all to be sure it's your card. But, once they know you, only the card number matters.

Some of this statement is correct and some not.
- merchant has the burden of validating the identity of the cardholder for card not present (CNP) transactions to reduce the risk of fraud for which they will be liable. 
- tools are provided by card issuers and  brands to help the merchant - expiry date, cardholder name, and card verification value are some of the information the issuers offer on the card to the merchant to use to validate the identity. Verified by Visa and MasterCard SecureCode are additional tools for doing fraud mitigation by the merchant.
- merchants may go further and ask for government issued photo identification for performing address verification
- the cardholder has to explicitly allow recurring transactions to occur and the agreement is valid until explicitly cancelled by either party in writing
- a merchant is required to only provide the card number on subsequent transactions for recurring CNP transactions
- the merchant must provide all mandatory fields on an authorization if the transaction is not registered as recurring.  They cannot just provide the account number if the authorization is one-time.

So, for the OP, if they did not write a letter to Ebay to cancel their authorization for recurring payments associated with their expired CC and they retained the same account number through subsequent card issuances, then the Ebay charge will succeed and the OP will have no grounds for dispute.  Ebay will provide a copy of the agreement and proof of continued association with the Ebay member as evidence for the chargeback.

You'd have to change your card number, for them to be unable to make charges on the card. You can always call your bank and tell them you didn't "authorize" that particular payment. Then the bank would "then" ask them for more info. If they couldn't provide the new expiry, then the bank would reverse the charge. But, it's up to you to take the action. If you don't dispute it, the bank will think your previous agreement with the merchant is in tact, and the fact that there's a new expiry doesn't matter.

True about changing the number.
- the cardholder can dispute the charge and the issuer creates a chargeback where the merchant has to provide proof to support the explicit authorization by the cardholder for the transaction.  This would be a copy of the agreement.
- if the card was reissued to the cardholder during the term of the agreement, subsequent charges to the account would succeed despite the updated expiry date.  It's valid so long as the cardholder's explicit authorization is still valid and the merchant can prove it.
- if the cardholder cancels the old card and gets a new card, then subsequent authorization attempts by the merchant against the old account number will result in a failed authorization.  It is impossible to authorize payment against a cancelled account.

[rbm]

... So, they can try it with debit cards too, but the way the debit card works, gives the card holder much more protection from unauthorized charges than credit cards.

With a credit card, the VISA or Mastercard extends credit to the card holder, and so the card holder has no control over who can charge that card, he then has to fight to get his money back, which takes time. With debit card, that problem goes away, for the most part, by judiciously increasing or decreasing the actual credit line available through funding and de-funding the card account on an "as needed" basis. So, even if the card details are stolen, it's still much harder for the unauthorized transactions to succeed.

You're forgetting one key distinction between credit and debit transactions.  With fraudulent credit card transactions, the cardholder's liability for non-EMV transactions is limited to the first $50.00 of any fraudulent transaction.  For tap transactions, the cardholder's liability is limited to $100 or whatever the floor limit set by the issuer.  The burden of the liability of the fraud is on the merchant for non-EMV.   For debit card and EMV credit card transactions, the cardholder is fully liable for fraudulent transactions.  The debit cardholder bears the burden of proving that it was not them who authorized the transaction when disputing a fraudulent charge.  So, if you actually get a fraudulent transaction on your bank account, you will have the job of proving that you didn't actually do it - which is not an easy task if you lack evidence.  In the case of that $13 fraudulent transaction, the good will of the Bank kicked in and they ate that money because they want to keep you as a customer.  If a fraudster captured your debit account number and PIN and cleaned out your bank account from an ATM, you would see a completely different response from the Bank if you tried to dispute the transaction.

[eyiz]

If a fraudster captured your debit account number and PIN and cleaned out your bank account from an ATM, you would see a completely different response from the Bank if you tried to dispute the transaction.

This is a different kind of debit card. There are several varieties in existence. The debit card isn't linked to any Bank account. It usually has no money on it. When you fund it, of course, if someone steals your physical card, and knows your pin, then perhaps, they can withdraw the daily limit. The card, however, has a cash withdrawal limit much below the spend limit. So, they wouldn't get much cash. They'd have to spend that money to make a purchase. But, they'd also have to have info on what is on balance, since they wouldn't know these things, they'd make a few failed transactions before they could get one to succeed. And there, they would create a "pattern" of searching for the balance, which the computer algorithms would immediately flag, and that would be evidence, which is what was used in my case to validate my side of the disputed transactions.

A regular bank debit card is a completely different thing, with no security at all. Also, there are Visa and Mastercard debit cards that you can buy that have no protections, they are essentially like cash. But, there are others that operate almost the same as credit cards, with the usual buyer protections, but just without credit line being extended to the card holder. This latter is the best card to get.

[xrunner]

Want to generate a "for this specific merchant only" "card number" and maybe choose to "save" that on your account with that merchant?  OK.

My bank lets customers do that, I do it all the time for internet merchants. It's called Shop Safe. It generates a credit card number with an expiration date you select and a max charge you select. Then once you use it for a particular merchant it's locked to that merchant. Period. If that number is stolen from them it cannot be used anywhere else. I think it's pretty cool.

[CatalinaWOW]

I have had credit cards on file with a number of businesses.  Laundries, telephone, cable and internet services.  I limit my risk by reserving one card for these transactions and using it only for those.  Over the years this card has passed expiration date a few times, and the same behavior seems to happen each time.  The first couple of months the business gets its money.  The charge comes through to me on the monthly bill with no comment from the credit company.  Whether they had to jump through hoops or not is not known to me.  Eventually however they stop getting their money and they contact me to update the expiration date. 

From this I conclude that a card past expiration can be charged some limited number of times, but there is a limit and the credit company will no longer honor it.

[Halcyon]

Just to clarify, the card that was debited is not a credit card, it's a Visa debit card. There is no credit facility on it, but it behaves just like a credit card, only the amount is drawn directly from my savings account.

I spoke with the bank, then are unsure how this could have proceeded without giving them the correct expiry date. The person I spoke to did acknowledge though there might be some kind of "minuscule floor limit" which would allow small amounts to process anyway but she wasn't 100% certain.

I'm making further enquiries with ebay as so far I've just got a generic response from them.

The point I'm making isn't so much where the money came from, it's just that as far as I'm concerned when I entered the automatic fee payment details into their system, I essentially entered into a "contract" with them up until the time the card details I supplied expired. I just don't think it's good enough that they can just continue to take money with whatever means they feel like. If I choose not to update my card details for whatever reason, that should be my choice as a consumer.

[eyiz]

Just to clarify, the card that was debited is not a credit card, it's a Visa debit card. There is no credit facility on it, but it behaves just like a credit card, only the amount is drawn directly from my savings account.

I have a Mastercard Debit Card. It has that option to link a bank account. In which case, money would be withdrawn automatically, and instantly, when spending on the card. However, it's at a different bank than my normal bank, so in order to link a regular bank account to the card I'd have to open a bank account at the same bank that issued the Mastercard. Since I don't have a bank account at that bank, I can't link to the Mastercard. I have to actually send money from my regular bank to the Mastercard account, using interbank transfer, which can take 2 to 4 days.  So, there's no way anyone can use my Mastercard to access any money that I haven't actually put onto the card, through this indirect funding. This protects my savings and checking accounts from being accessed through the Credit Card links. All transactions have to be initiated by me.

[blacksheeplogic]

They don't need expiry date. Only the card number. The expiry date is requested by merchants so that they can verify that you are the card holder. So, they ask for a number of pieces of info to keep on file to prove that they got that card number from you. Some ask for the 3 or 4 digit secret code at the back of the card too.

The 3/4 digit code on the back of the card cannot be retained.

[eyiz]

The 3/4 digit code on the back of the card cannot be retained.

That may be a rule. But, not every merchant follows it.

For example, to order JBC tools from Janelonline, if you're outside the US, they ask for a photo or scan of the front and back of your card, which they keep as proof that the card holder placed the order through them. So, they keep every detail that can be seen on that card. Probably the only detail they don't get, is the "holographic pic" that is included on some cards, which can't be scanned. So, maybe it's a rule for US citizens, but international customers don't enjoy the same benefits.

[Iwanushka]

Looks like issuing new card with same CC number is bad idea, in my country when card expires it gets banned and you receive new card with different CC number, it's quite annoying to re-enter CC number everywhere but atleast no one can charge old card.

[blacksheeplogic]

The 3/4 digit code on the back of the card cannot be retained.

That may be a rule. But, not every merchant follows it.

Part of the PCI audit requires demonstrating that you don't store these.