Following a December glitch at Macys that saw 8,000 customers double- and tripled charged for debit transactions comes word of an eerily similar triple charge glitch at Best Buy this month.
In both cases, the retailers initially painted the problems as isolated incidents. In both cases, the retailers thought initial debit card swipes didn't work and asked the customer to try again, sometimes twice more. And in both cases, the banks removed money from the consumer's bank account equivalent to two and three times the price of the product.
Could these be coincidences? Might they indeed be isolated debit card incidents? Absolutely. But this also might be an initial heads up that the debit card system relied on by major retailers today has inherent flaws. What happened, with both Macys and Best Buy, with software specifically designed to look for and prevent these kinds of multiple identical charges? What about the systems at the card processors and the banks?
The most frightening part about debit card transactions today is that they subject retailers to a debit double whammy. Debit transactions are exponentially more delicate—and more prone to glitching—than their credit card counterparts. At the same time, an error with a debit transaction can deliver an order of magnitude more damage, potentially cleaning out a customer's bank account and causing them to unknowingly bounce checks to everyone they're trying to pay. Few IT glitches has the potential to get a loyal customer in trouble with the police, but debit card glitches have that distinction.
How frightening is it that the transaction type that can inflict the most damage has the weakest failsafe? How weak in fact are those safeguards?
"Everything has to go perfectly on a PIN debit in order for it to work and all the actors have to do their job correctly, from the issuer to the acquirer and any stations in the middle," said payment systems specialist Andy Orrock, COO of On-Line Strategies. "You've got gateways and a regional debit processor. So, for a transaction to go from Best Buy, there were most probably four institutions involved, the acquirer, the acquirer's gateway, the regional debit network and the issuer. All the message exchanges have to happen properly."
Mississippi Debit Burning
It's not clear how many customers were impacted by the Best Buy debit situation, but one Mississippi man provided documentation of a $300 microwave oven that was charged three times, wiping out his bank account and causing quite a few bounced checks and related problems. Best Buy has acknowledged "errors" that caused Jackson, MS, resident Myreon Williams' checking account to slip nearly $1,000 in the red, said Best Buy Spokesperson Jill Nezworski, but the retailer has been unwilling to provide specific details explaining why its payment system allowed the triple charges to take place.
When Williams' debit card was first swiped, the system said he'd exceeded his daily limit but the transaction was apparently approved anyway. The message, which was unrecognized by the cashier, seemed to be little more than an FYI note. One problem was that no receipt was printed, which is what prompted the cashier to conclude the mysterious message meant the transaction had been rejected. According to the customer's bank statement—a copy of which was provided to StorefrontBacktalk--that transaction was sufficiently accepted so that the bank account was debited.
Williams was then asked to re-enter his PIN and to re-swipe his card. The POS then spit out a piece of paper which the cashier kept, Williams said, and the cashier wouldn't let Williams see what it said. He said the cashier told him he needed to call for authorization. Apparently getting the authorization, the cashier asked Williams to swipe the card a third time, according to Williams, who said he was then given a receipt and allowed to leave with the microwave.
The next day, Williams logged onto his online banking page and was shocked to see three charges from Best Buy for $299.59—the exact price of the microwave oven--plus a charge of $300 listed as "931240 POS PRE AUTH CREDIT CARD MERCHANT UNKNOWN US."
"We stand by our original statement and don't want to speculate further," said Best Buy's Nezworski via E-mail. Unfortunately, that original statement doesn't say much: "Best Buy regrets that we inconvenienced our customer with the authorizations on his account. We have systems in place to prevent this from occurring but it does appear that an error occurred. It is very rare that we see this type of difficulty, and you can be assured that we will work with our customer to make this right."Indeed, Best Buy refunded Williams for the extra charges. Williams said the retailer also promised it would send him a $75 check to pay for penalties he was accessed by the bank in the days after the incident because several of his checks, including one for a car payment, bounced.
Best Buy Stands By Its Statement
In an interview conducted before Best Buy decided to merely "stand by" its statement, Nezworski said she thought the cashier's second and third swipes of Williams' card "were incorrect" as a store practice. However, she also said the transaction wasn't allowed to go through until after the store contacted Visa and received an authorization.
Orrock said he could envision several explanations for Williams' experience, and most of those explanations "have to do with error codes being properly translated." Perhaps the acquirer might have received a code from a system in the middle saying the transaction was taking too long and timed out. He said the message that Williams exceeded his daily limit, an unusual message for a POS to see, could have been caused by a mistranslation of the 'response code' as the message is passed back from institution to institution."
As for the systems designed to watch for and prevent these kinds of duplicate charges, those systems are only as effective as the data they are allowed to access. Orrock said, for example, that payment processing systems rarely check product codes to see if the same product is being paid for multiple times. "I build some big POS systems and we are not checking SKUs," Orrock said. "We are not checking product codes. Payment switches are not getting down to that level." He also noted that, if the first attempted transaction was recorded by Best Buy as a denial of some sort, but approved by the issuer, the system would not see a subsequent attempt as being a duplicate because it thought the first one was rejected.
The Best Buy system might have done everything properly but could have been dealing with garbled information from somewhere else in the complex process. "What (codes) the issuer passes back and what ends up at the POS can sometimes be entirely different," Orrock said. "A lot of things have to right for that to work. My 2-digit codes might not be the same as the next guy in the chain. You're dependent on everybody making the right translations."
While not particularly commonplace, Orrock said PIN debit system hiccups are not totally rare, especially when store clerks swipe cards multiple times. "You do see situations like this where, for one reason or another, all the actors involved in the transaction did not discharge their duties properly," Orrock said. "I could concoct a scenario for you that fits what happened to this guy with absolutely no problems evidenced by Best Buy. Best Buy could be totally in the dark, in a good way, about what happened. They would get something back that indicates the transaction was rejected or denied. They get a response code and throw it on screen. In the meantime, behind the scenes, the issuer authorized the transaction."
Orrock urged retailer CIOs to "pay attention" to their systems suspense file. "What ends up happening in debit is, you typically provide the gateway with a list of all the transactions you think you consummated during the day and the gateway is going to match those transactions up. If there are any differences between the file you sent and what the gateway processor thinks they processed online, those items are going to fall out and go to the suspense report. You must pay attention to the items on there, the spurious items."