It's Impossible To Cancel Arcot's SecureCode On Your Mastercard

Be wary of Arcot, a credit card security company that’s devoid of customer service.
 
Nels had to sign up for Arcot’s SecureCode to complete an online purchase. Now he wants to cancel it, but can’t find anyone at Arcot who can help him. The web pages he’s sent to are dead ends, and he left messages with Arcot’s executives that were never returned.



I purchased Portishead’s album Third on Monday morning. It was an international purchase, so WorldPay.com enabled the credit card transaction. After I entered my credit card and billing info, I was redirected to a Web page hosted at arcot.com. To my surprise, a second form once again requesting my credit card info was presented to me.
 
Since I already entered my information once, I read this new page carefully. The page was a sign-up form for a fraud protection service called SecureCode. A small link indicating terms and conditions opened a pop-up page with two paragraphs, the second of which was entitled “Terms and Conditions” but the entire body of the paragraph was just the sentence, “Your financial institution will provide the terms and conditions for this service.” repeated 6 times.
 
It is sufficient to say that I did not want this service, but wound up being forced to re-enter my credit card info because WorldPay.com would not let me complete the transaction until I completed the enrollment form. I got my receipt for the purchase, and immediately began to investigate how to cancel my enrollment with this service.
 
Searching high and low for a contact e-mail address on mastercard.com, I found only a 1-800 number. Calling that number, I spoke with a support rep who knew nothing about WorldPay.com or the SecureCode service, so I demanded to speak with someone who did. I was eventually informed that SecureCode is a voluntary free service provided by Arcot Systems, and that I would have to cancel my enrollment at the financial-institution-specific portal on arcot.com. Going to http://www.mastercard.com/securecode, I was able to search for my financial institution’s portal and found this site:
 
https://secure2.arcot.com/vpas/usaa_sc/enroll/index.jsp?locale=en_US&bankid=1461
 
This page simply did not allow me to cancel my enrollment. So, I decided to try to get someone at Arcot Systems to help me. I called their contact numbers that I found on their Web site and for the next 5 hours I spoke with several people, including a tech on his BlackBerry who was on-call for their Web systems on his way into work in Sunnyvale, California, and a sales person who claimed that he was “the top of the food-chain” at Arcot Systems and who eventually hung up on me. After explaining my situation 8 times, and asking each person to cancel my enrollment with SecureCode, I was told flat out, “we can’t do that” 6 times, and hung up on twice.
 
All in all, I spoke with 8 people, left 3 voice-mails, sent 5 e-mails, received 3 e-mails, and also spoke with the secretary of the CEO of Arcot Systems, Ram Varadarajan, and asked her to set up an appointment to have Mr. Varadarajan call me to discuss why I am unable to cancel my enrollment with SecureCode. He never called me back.
 
What can I do? Do you have any advice for me? Can I file a civil suit and demand that Arcot Systems eliminate my information from their records? Can I file a restraining order? I need help.

Okay, first we want to stress that you should never fill in a form with your credit card info just because you’re impatient and want to complete a transaction. But clearly you’re already dealing with the consequences of that impulsive data-entry moment, so we’ll move on.
 
Have you tried revisiting the site where you purchased the album, to see if the SecureCode service was offered through the merchant instead of the card issuer?
 
You could also call your bank and explain the situation, and ask them to either cancel the membership for you or issue you a new card.
 
And the next time you shop online, consider generating a single-use card number from PayPal or your own bank if they offer it.
 
RELATED
“Shop Online Safely With Temporary Credit Cards”
(Photo: Getty)

Comments

Edit Your Comment

  1. cwlodarczyk says:

    I think that this is one of very few instances that I’ve seen here where the consumer really is to blame.

    As I read through the article I was like “Really? You did WHAT?”

    I suppose that’s neither here nor there though. On a questionable international transaction like this one I would be on the phone with the card issuing bank to cancel the card and issue one with a new number.

  2. Imafish says:

    I would be on the phone with the card issuing bank to cancel the card and issue one with a new number.

    Agreed.

  3. fluiddruid says:

    Whether or not the consumer acted impulsively, this company is acting unethically and I’m glad The Consumerist called them out.

  4. Juggernaut says:

    It’s understandable that people get caught up sometimes but this just seems to be the height of idiocy to me.

  5. Nissan288 says:

    I think the first mistake he made was buying that album…

  6. qwickone says:

    @cwlodarczyk: I would have just used a disposable number. Don’t most CC’s have that now?

  7. AstroPig7 says:

    Wait a minute, Third won’t be released until 04-28. Was this a pre-order? If not, I would question the integrity of the site that it was purchased from.

  8. I hate online stores that have popups after you make a purchase tricking the customer into thinking its part of the purchase, when in reality it’s a third party company (webloyalty, reservation rewards, etc). I know well enough what’s part of my purchase and what’s BS, but my mom and aunt fell for these quite a bit.

  9. ahodes says:

    SecureCode is pretty much the same thing as Verified by Visa from my understanding. While I agree that you should be able to remove it from your card, this isn’t exactly some horrendous 3rd party service that you’re being billed for every month.

    Nonetheless, if the consumer didn’t want it, they shouldn’t have signed up in the first place, especially if they didn’t understand what it was.

  10. nrwfos says:

    Certainly the buyer should have re-considered his purchase when this trap presented itself. But now that it’s happened he should go to his card issuer with the purpose of getting a new number and also to request information from them about the situation and how to rectify it should it happen again. Couldn’t he have just gone to a retailer like Borders and “ordered” the CD or whatever through them? Sounds like the extra he might have paid for that would be worth it in this case. That would have been my move. Whenever a case like this comes up for me – I back away very quickly.

  11. kitf0x says:

    Ahodes is correct, it is exactly like Verified by Visa and the MasterCard version though it is slipping me at the moment. Arcot was actually actively involved with the development of those security technologies (along with RSA Security). This consumer shouldn’t have anything to fear from being in this and I am not surprised it is hard to undo as it is very similar to enhanced security from your online banking and required by a lot of merchants and card issuers for online activity. Which version you see when you create this extra step of authentication for your card depends on the card issuer and the merchants being signed up for that flavor of Verified by Visa.

  12. tande says:

    @AstroPig7: That was going to be my comment. I know at one point it was going to be released this monday but they moved it back.

    This requires more investigation.

  13. nelsnelson says:

    @cwlodarczyk: Yes, I am an idiot. No really, I’m usually very careful about stuff like this. I don’t know what I was thinking.

    @Imafish: Thanks! I hadn’t thought of that. I just canceled it.

    @AstroPig7: I bought the boxed set from Portishead’s official Web site.

  14. Worldpay? Shady.
    SecureCode? Not shady. It’s a fraud-protection measure. It offers the merchant more protection against fraud-related chargebacks.

  15. Whenever I buy anything online I always us a “Virtual Card Number” that my credit card provides. That way I’m never giving them my actual card number and if someone does get ahold of it, they can’t do anything with it.

  16. Buran says:

    @cwlodarczyk: I think that’s beside the point. The point is, the guy can’t cancel a service he no longer wants. Why that is or why he enrolled isn’t within the purview of the complaint.

  17. hotwire does something like this too. and there’s no obvious way to get past the “securecode” (or whatever it’s called) entry page. and you can’t get past it without entering a valid cc number. it’s very frustrating.

  18. sketchy says:

    @Michael Belisle: It does what now?

    Why do they need MY CC# to do that? I already agreed to pay all charges made on my card (within the bounds of my original CC Agreement / TOS).

    That sounds like merchants needing to renegotiate their agreements with CC companies if they are having fraud trouble, not sign me up for their protection.

  19. JayDeEm says:

    @discounteggroll: I hate online stores that have popups after you make a purchase…

    That’s a good way to ensure that I will never shop at that site again. Especially if said pop-up starts talking and telling me that I’ve won something.

  20. @sketchy: My point is that it’s an official program that MasterCard and Visa support. Asking to cancel it is like asking to disable your PIN (which may be possible, but it isn’t very effective) It’s an additional layer of protection when purchasing online.

    The problem with the program is that’s misunderstood and/or poorly implemented.

  21. scarlet81 says:

    As some one that works for a company that works with SecureCode, (no, I don’t work for Arcot) I can try to shed a little light on your problem… To my knowledge, you will have to contact your credit card issuing bank to cancel this service. (Although, if you regularly make purchases with international companies, I wouldn’t recommend that, as SecureCode is mandated in certain areas for certain cards. You may just end up having to sign up for the program again. Or not make the purchase… obviously your decision to make.) Arcot really will have nothing to do with your individual information, they work to provide the SecureCode service to the merchant that you made the purchase from. Not that that excuses their poor customer service in anyway! Some one with the company should have politely explained to you what they do and given you any information they had to help you out. Stories like these frustrate me, as I do believe that authentication programs like VbV and MCSC are helpful to merchants and consumers alike when it comes to fraud protections. Unfortunately, the services are either misunderstood, poorly promoted, and not implemented well in some cases.

  22. kbarrett says:

    @pepe the king prawn: There is a way to get past the page.

    Hit the contact link, and call the vendor. Either complete the transaction by phone, or tell the vendor you are offended by the third party request, and refuse to do business unless it is removed.

  23. @kbarrett: The “third-party” is essentially your bank. Another way to think of it is a virtual signature. You give your SecureCode to your bank; your bank tells the merchant “Yup, it’s the cardholder. Go ahead.”

  24. snoopig says:

    I have been browsing this site for just over a month now and didnt find the urge to respond to an article till now. I am aware of Verified By Visa and I believe SecureCode is a similar program offered by Mastercard.

    I was initially a bit of a skeptic myself when my bank decided to roll this out as a mandate for all online purchases. I had to do a lot of reading on both Mastercard and Visa before I made a decision to make an online transaction – imagine that! And imagine being paranoid!

    But since then I have been an avid shopper online. My wife uses my credit card extensively online. I have no fear as my credentials are secure and but for my wife and myself no one else knows the answers to my security question. WE have been successfully shooping online for over 3 year now.

    This is a good program from what I see. Pretty non intrusive. I recommend that if you bank offers this server that one should go and sign up (if it is not mandated already).

    As far as this problem goes – I believe you should be able to talk to the bank and easily remove you from the program. However I strongly urge you not to. My 2 cents …

  25. Have you tried revisiting the site where you purchased the album, to see if the SecureCode service was offered through the merchant instead of the card issuer?

    To summarize my point and answer this question, the answer is both. According to Arcot’s information, there are two necessary components (“TransFort for Issuers” and “TransFort for Merchants”) that talk to each other:

    1) You buy something at the merchant
    2) The merchant contacts your bank
    3) The bank pops up a window
    3) You authenticate to your bank (thus preventing the merchant from ever knowing your SecureCode)
    4) The bank tells the merchant everything’s OK

    The whole verification exchange is facilitated by Arcot and how it works beyond that is probably a trade secret (but Wikipedia has some details on the protocol).

    You’re right that he should contact his bank. And kbarrett is right that he should contact the merchant. Arcot just operates the backend that processes the virtual paperwork, which means they can do nothing.

    And we can blame MasterCard and Visa for failing to communicate the service properly.

  26. VermilionSparrow says:

    @kbarrett: Seconding Michael Belisle on this one. I helped write training materials at a credit card processor/acquirer once upon a time, and SecureCode is basically the same thing as Verified by Visa. It’s a security feature for identity verification. Asking the vendor to remove it won’t do any good, because including it more than likely gets them a discount on their processing fees, due to the reduced fraud risk it provides.

  27. harshmellow says:

    @VermilionSparrow: You are correct. Both MasterCard SecureCode and Verified by Visa are security features. I struggled with Verified by Visa the first time I was presented with it (after I made a purchase at an online store–then they forced me to enter the VbV password, which I had never set up to begin with. Because I hadn’t yet signed up for VbV, I could not complete the transaction at the store!).

    The issuing bank was not familiar with VbV, so they couldn’t help me. I had to sign up for VbV because more and more of the online stores I use require it.

    There is no way around it other than canceling your transaction (after you thought it was completed!) and finding another store to do business with.

    Personally, I think it is a good thing, but I didn’t like the way I was introduced to it. This is something everyone will be forced to deal with eventually, and ultimately, I don’t think it is a bad thing. Now I’m used to it.

    The only way to get around it is to shop elsewhere. Eventually, all online retailers will be using Verified by Visa and SecureCode, I suspect…

  28. inetdog says:

    @sketchy:
    You agree to pay all the charges made on your card BY YOU. If someone uses your card number fraudulently, I know that you won’t pay for it, so either the merchant or your bank will end up losing.
    Verified by Visa and SecureCode offer financial protection to the merchant and to the bank, and incidentally offer some peace of mind to the cardholder.

    If a merchant signs up for VbV, the bank promises to check the identity of the person using the card number, and in return agrees not to hold the merchant responsible for any fraudulent charges.

    @fluiddruid:
    Looking at it from a different angle, if someone called your bank on the phone and asked to cancel your credit card, would you expect them to do it without some sort of verification? I think Arcot is probably caught in the middle with no way to verify who Nels is. I would ask my bank to take care of it, since I can prove to my bank who I am!

    And I would agree that if nobody at the bank (at least nobody who will talk to me) knows what is going on, it is a black mark against the bank. But I suspect that it is pretty common nevertheless.

  29. Ciao_Bambina says:

    I do quite a bit of online purchasing and have been running into Verified by Visa more and more lately. They seem to have done a pretty lousy job of promoting their program.

    The first time I saw it was near the end of a transaction that I really needed to complete for business reasons. I was immediately wary. Fortunately, my credit union/credit card issuer has great customer service and I was able to get hold of someone knowledgeable immediately who explained what VbV was and reassured me. And apparently they did send something in the paper statements, but I do everything online and never saw it.

    Anyway, yeah, I’m with harshmellow, I didn’t like the way the whole thing was sprung on me out of the blue, but I do appreciate the additional layer of security.

  30. kbarrett says:

    @Michael Belisle: If such crap was a requirement by the bank, I would have ab even simpler solution … shred the card.

    I use an REI Visa card ( USNB ) for day to day stuff, and pay the card balance off. I do not use a debit card for my credit union account …. I go through none of this crap.

    I a bank or vendor hit me with this, I would lose them both … their are plenty of competitors out there.

  31. kbarrett says:

    their=there, ab=an, I=If.

    I need to slow down ….

  32. witz says:

    @scarlet81: as I work on SecureCode I appreciate all the correct info here from scarlet and others. Clearly the customer would have been better served if he had called the issuer of the card first to understand how to cancel the service. Still the Arcot folks could have given him that same advice yet he never mentions caling them! Unfortunately issuers do not want to spent a lot of money alerting cardholders to new services– if they are free and not revenue generating. The screens for this application clearly should have been improved to list the enrollment url or an issuer phone number for help.

    Millions of cardholders are having a much better experience with SecureCode; I hope others will give it a try for the extra level of security.

  33. To cancel, Nels needs to click Account Assistant after going to USAA’s SecureCode page and log in with the code he set up. He was just one click away from a solution. (Or three if he had checked the FAQ first.)

    @kbarrett: Don’t worry, next time you’re puchasing Portishead’s new album on WorldPay, you too can sign up for Verified by Visa: http://www.usbank.com/verified/.

    @witz: According to the live ticker at arcot.com, there are in fact 18,346,571 presumably satisfied customers as of this message.

  34. Anonymous says:

    After a purchase from newegg.com, I was presented with a form this “service” which claimed that the transaction would not go through without it. I’d read some pretty nasty stuff about it, so I did some more research on it, including calling my CC provider. In the time I was doing that, the transaction appeared on my CC statement. Maybe it’s just with newegg, but it seems to be able to be ignored as long as you don’t sign up for it in the first place.

  35. Anonymous says:

    Yup, just purchased a scanner on newegg. I had never heard of verified by visa, and when it popped up I first looked at the url and grew immediately wary as I had never heard of ascot.com. I exited the page and started researching ascot.com and got 2 emails from newegg saying that my payment was accepted and my order was placed. Looks like it’s not needed to make a purchase at newegg, even though they try to make you sign up for it!