Credit card charged months later
Options
winjaninja
Posts: 13 Forumite
Hi
Having rented a car last summer, I was surprised to receive a letter from Avis saying they would be charging me an admin fee for providing details to the Italian authorities over a parking ticket I'd supposedly incurred. I hadn't actually received any parking ticket nor was there any details from Avis about the incident, just a form letter.
Based on this advice from Citizens Advice (citizensadvice.org.uk debt-and-money banking stopping-a-future-payment-on-your-debit-or-credit-card), I contacted my credit card company and asked them to cancel any ongoing payment authority. The first person I spoke to, although trying to be helpful, clearly had no idea what I was on about, so I politely asked to speak to a supervisor. I think that guy (his english wasn't terrific) agreed to do what I asked so I was surprised to see the payment had still been taken, on my next statement, for ~ £40.
It's not really a massive deal (if the parking ticket eventually gets to me then I guess I'm bang to rights for the admin fee, regardless of whether the authorities followed the procedure or not), but this raises several questions for me:
1. Can the rental company really just take money from my credit card months after the transaction? Is that for an indefinite period?
2. Presumably they are storing my card number + CVV in plaintext - which could easily be leaked. (I work in this area, see the Sony PSN leak). Can I request a deletion under GDPR?
3. Should my credit card company have blocked the payment at my request?
4. Assuming it was an administrative mistake, which might happen again, how can I be 10% sure that I won't lose more money in future? Do I have to cancel the card?
Actually it reminds me of a similar story with Amazon Prime, that I never wanted but was being charged for. In that case they refunded and apologised but I still wonder why most companies/website make you re-enter the CVV every time.
Cheers for any advice.
Having rented a car last summer, I was surprised to receive a letter from Avis saying they would be charging me an admin fee for providing details to the Italian authorities over a parking ticket I'd supposedly incurred. I hadn't actually received any parking ticket nor was there any details from Avis about the incident, just a form letter.
Based on this advice from Citizens Advice (citizensadvice.org.uk debt-and-money banking stopping-a-future-payment-on-your-debit-or-credit-card), I contacted my credit card company and asked them to cancel any ongoing payment authority. The first person I spoke to, although trying to be helpful, clearly had no idea what I was on about, so I politely asked to speak to a supervisor. I think that guy (his english wasn't terrific) agreed to do what I asked so I was surprised to see the payment had still been taken, on my next statement, for ~ £40.
It's not really a massive deal (if the parking ticket eventually gets to me then I guess I'm bang to rights for the admin fee, regardless of whether the authorities followed the procedure or not), but this raises several questions for me:
1. Can the rental company really just take money from my credit card months after the transaction? Is that for an indefinite period?
2. Presumably they are storing my card number + CVV in plaintext - which could easily be leaked. (I work in this area, see the Sony PSN leak). Can I request a deletion under GDPR?
3. Should my credit card company have blocked the payment at my request?
4. Assuming it was an administrative mistake, which might happen again, how can I be 10% sure that I won't lose more money in future? Do I have to cancel the card?
Actually it reminds me of a similar story with Amazon Prime, that I never wanted but was being charged for. In that case they refunded and apologised but I still wonder why most companies/website make you re-enter the CVV every time.
Cheers for any advice.
0
Comments
-
1. ISTR that for any charges to be applied 6+ months after the contract concluded (i.e. you returned the vehicle) then they must notify you at least 14 (or is it 30?) days prior. Avis sent you a letter - how long before the charge was applied was the letter received?
2. The CVV isn't necessarily needed for an additional charge related to the same contractual event.
3. It depends - some will, some won't. This wasn't necessarily a continuous payment authority.
4. Cancelling a card doesn't cancel the account (unless you cancel the account at the same time).0 -
So the parking ticket is supposedly 5th August, the letter from Avis was 4th December (I suspect it might have been pre-dated because I didn't call the cc company until 14th) and the payment was taken on the 19th.0
-
winjaninja wrote: »2. Presumably they are storing my card number + CVV in plaintext .
Im interested how you come to the conclusion :huh:0 -
Well, if they are able to use the cc number again, they can encrypt it but have to keep the key around so they can decrypt it later. Reversible or 2 way encryption. That's not a very good idea because the key is hard to secure, plus they can only really use the same key for the entire store.
So, we tend to refer to data under reversible encryption as being plaintext, even if it's actually encoded, because it's a safe assumption that it's not going to be too hard to decrypt. In fact assuming the decryption is done in the presentation or business layer, it's likely unencrypted at the endpoint.
We're 100% not allowed to store cc details where we work because we don't want to get into **** if (probably when) our db gets compromised. We do do encryption-at-rest and at-transit but it's not worth much if the system is compromised. Apparently Aviva are stupid enough to risk the bad publicity so they can nick money off people without an invoice.
But yeah technically you're right, it's probably encrypted to some level.0 -
winjaninja wrote: »Well, if they are able to use the cc number again, they can encrypt it but have to keep the key around so they can decrypt it later. Reversible or 2 way encryption. That's not a very good idea because the key is hard to secure, plus they can only really use the same key for the entire store.
So, we tend to refer to data under reversible encryption as being plaintext, even if it's actually encoded, because it's a safe assumption that it's not going to be too hard to decrypt. In fact assuming the decryption is done in the presentation or business layer, it's likely unencrypted at the endpoint.
We're 100% not allowed to store cc details where we work because we don't want to get into **** if (probably when) our db gets compromised. We do do encryption-at-rest and at-transit but it's not worth much if the system is compromised. Apparently Aviva are stupid enough to risk the bad publicity so they can nick money off people without an invoice.
But yeah technically you're right, it's probably encrypted to some level.
Pretty much every word of that is wrong :rotfl:0 -
Go on then... enlighten me!
Maybe they get a token from the cc provider that has a certain lifespan. Which could be revoked.
That's basically what I'm trying to find out.0 -
Retailers are not supposed to store the CVV at all. It should be used to confirm a payment, then discarded.
But there is no requirement to use a CVV when taking a payment from a card. Merchants may use it, if they wish, as evidence that the person that they are dealing with has the card in their possession.If it sticks, force it.
If it breaks, well it wasn't working right anyway.0 -
tell your credit card provider to block the merchant for your CC. but i don't know what will happen if you want their service in future (may be reactive?).0
-
This is fairly standard across all car hire agreements. Avis T&Cs tell you you will be charged between 25-45 Euros admin fee and you agreed to that when you signed the rental agreement. If you don’t actually get anything from the Italian authorities then I would challenge it, but that is more likely to be down to the rubbish Italian postal service than anything, and as long as Avis have received a request from the relevant authorities then the charge is valid.0
This discussion has been closed.
Categories
- All Categories
- 343.2K Banking & Borrowing
- 250.1K Reduce Debt & Boost Income
- 449.7K Spending & Discounts
- 235.3K Work, Benefits & Business
- 608.1K Mortgages, Homes & Bills
- 173.1K Life & Family
- 247.9K Travel & Transport
- 1.5M Hobbies & Leisure
- 15.9K Discuss & Feedback
- 15.1K Coronavirus Support Boards