Consumerist reader Rob recently got a call from Bank of America that someone appeared to be trying to use his debit card number fraudulently. Luckily, the scammer hadn’t managed to successfully charge anything to his account, but BofA did have to cancel the existing card and issue him a new one.
He received the new debit card yesterday and went about updating account info with companies like Netflix and Amazon. But when he went to the website for XM Radio, he was shocked to see that his new card number had already been entered into the system.
Rob contacted BofA and could not get a straight answer from anyone in customer service. He eventually talked to someone claiming to be a supervisor who said that maybe because XM was a recurring payment, that BofA had approved a payment. Thing is, it’s still a couple of weeks until his next scheduled payment.
After multiple attempts, he finally found someone at XM who confirmed that the company had gotten his new card number — several days before he’d even received the new card in the mail.
“What good was it for BofA to cancel my card if they were just going to hand out the new number to whoever they feel like giving it to?” asked Rob.
We took that question to Bank of America, where a rep for clarified that this is actually a program run by Visa, called Visa Account Updater, that allows some companies who have recurring payments with Visa cardholders to get the new card info as soon as it’s available.
I contacted Visa to ask what criteria are needed for a merchant to prove that the cardholder is indeed enrolled in recurring payments. I also asked if Visa didn’t expect consumers to be a bit concerned about their new number being handed out before the new card has even been activated.
This is the response I received, in which Visa does its best to avoid properly answering either question:
The Visa Account Updater (VAU) service enables the electronic exchange of updated account information among participating merchants and card issuers, providing cardholders with uninterrupted service when enrolled in recurring bill payments. Issuers decide when to provide merchants with updated account information, either when cardholders activate their new cards or within two business days from the date of the changes. VAU participants must also meet certain qualification requirements, including Visa security requirements for data transmission. In addition, no transactions can occur until cardholders have activated their new cards.
So apparently you shouldn’t worry that Visa is handing out your new number to companies because those companies must meet vague “qualification requirements,” and they can’t do anything with that number until after you’ve activated the card.
Of course, this assumes that the cardholder wasn’t planning on using a completely different card — or on canceling their account with that company.
While we appreciate the idea of a program that allows for continuity between card numbers, we believe that the cardholders should have to opt in to the the program — or at the very least be made aware that this program exists so that they are not suddenly wondering how in heckfire some company got their new card info without the customer telling them about it.