Comment by master_crab
5 days ago
I always wondered about this. Do companies tie the credit card to an identity to block or do they just block the cc number?
If the latter, seems like a small friction point for a consumer. Given how often cc numbers change and how many an (American) consumer has, this won’t block anything unless you are charging back more than once every few months.
It's up to the company, but since many companies don't want to keep card numbers around (and some processors don't let you see the card number anyway), they're probably more likely to block on identity. Maybe flag the IP address of the transaction for "additional screening" on all future transactions, etc.
IPs are notoriously unreliable for identity pinning, particularly in this age of CGNAT.
If they can’t or don’t want cc numbers (makes sense considering how painful PCI guidelines are anyway) does that mean they need to rely on more tools from the processors or user accounts maintained by the merchant themselves?
CC numbers are also bound to get recycled eventually as cards expire and/or get replaced... even if you block a card, it might have a new owner 6 months or so later.
The number space between the first 6 digits (BIN) and the Luhn check digit is 9 digits — that's 1 billion numbers that issuers can give out before a collision happens.
2 replies →
Except the banks have "helpfully" provided a service to merchants to tell them, "this card has expired, here is the new number to charge" (or expiry/CVV).
I remember getting into an argument with a bank teller about me wanting to block/dispute transactions and how they kept approving transactions. "But you have an agreement with the gym..." That's between me and the gym, not for you to facilitate on their behalf.
Obnoxiously that doesn't cover all the edge cases for consumers. Payments from my watch recently started failing with a generic "declined" error. After calling my bank I worked out that my credit card had been replaced some months ago in advance of a recent expiry - I updated my phone wallet at the time, but my watch's wallet didn't give any indication that it was trying to use an expired card.