Is this normal as far as paying for a purchase?

[RingRingRingRingRing]

Hi,

I’m wondering if this is normal—I placed an order with IDJ after talking with Yael on the phone and over email. It’s been a couple of days and I got the following email. Can someone tell me if this is normal when you pay with a credit card? I’m not doubting that IDJ are legit etc. just concerned about sending color copies of both these things to someone who I have not previously emailed with? My credit card company called me the day I ordered this and I okayed it to them and now see it as pending in my account. Thank you for your help!

————

Although funds have already been approved by your bank, additional verification is required to ensure the transaction is authorized by the Card Holder. Your bank is not authorized to divulge any information so we cannot verify your address and identity.

Therefore, we request that you kindly reply to this email with COLOR copies of:

1) Government issued Photo I.D.

2) Both sides of your credit card

We apologize for any inconvenience and appreciate your business.

Sincerely,

Donna
IDJewelry.com Verification Department

 

[yssie]

Reply to an email with photos of credit card and associated ID? Oh h*ll no.

Ask them if they have a secured portal you can upload to.

If they haven’t bothered to set something secure up, and they also aren’t able to take your credit card number by phone, then for me personally that would be the end of my transaction. A vendor who isn’t willing to take appropriate steps to secure extremely sensitive client data is a vendor I’m definitely not interested in giving that data to. Requesting that customers simply reply to emails with these details is NOT appropriate or acceptable.

 

[MamaBear]

I agree. That’s absurd

 

[RingRingRingRingRing]

Reply to an email with photos of credit card and associated ID? Oh h*ll no.

Ask them if they have a secured portal you can upload to.

If they haven’t bothered to set something secure up, and they also aren’t able to take your credit card number by phone, then for me personally that would be the end of my transaction. A vendor who isn’t willing to take appropriate steps to secure extremely sensitive client data is a vendor I’m definitely not interested in giving that data to. Requesting that customers simply reply to emails with these details is NOT appropriate or acceptable.

Thanks — I just wanted to check my gut. Appreciate your reply!

 

[Rfisher]

Didn’t something like this happen with @mrs-b not that long ago?

Not something to initially feel comfortable about - at all -
But I’m sure there’s a way forward for you.

 

[Rfisher]

Found the thread.

We'll sell you a diamond...but first we want to look up your skirt.

There are going to be people who disagree with my take on this. So let me be explicit before I start. THIS IS HOW I FELT. It might not be how you feel. But - gees louise - it sure is how I felt! I've been looking for a well matched pair of pears. I found one pear I loved on Blue Nile - but...

www.pricescope.com

Hope it helps.

 

[Lookinagain]

There is no way I'd send those things if it wasn't through a secure portal. I assumed that if there were credit card fraud and the bank approved the transaction that the merchant would be protected, but I gather that isn't true for online purchases. I found this:

For the ecommerce merchant, this is a card not present (CNP) transaction, meaning that the cardholder is not physically present at the time of the order. Lacking the opportunity to examine the credit card for the merchant, protection is that much more difficult. Without the standard security measures such as checking identification and paying with a chip enabled card, an online transaction is deemed far less secure. Given the riskiness of accepting an online transaction, the liability of accepting a fraudulent transaction rests with the merchant themselves, and not the issuing bank. If a merchant accepts an order online that is later deemed fraudulent, it is the merchant’s responsibility to refund the customer. The cardholder’s issuing bank will collect on behalf of the cardholder.

So I assume that is why they are trying to independently verify your identity, but there is no way I'd sent that info through an unsecure, not encrypted, email. There must be another way?

 

[DejaWiz]

IDJ is trying to cover their bases and protect themselves in an era of rampant identity theft and online fraud.
Are you able to work out a bank to bank wire transfer, as a possible alternate means of payment?

 

[MMtwo]

I've had that happen with merchants with bigger purchases. They just have it on file now.

 

[oncrutchesrightnow]

There’s two issues — the reasonableness of the request, and the information sharing portal. Email is not secure.

 

[lovedogs]

IDJ is trying to cover their bases and protect themselves in an era of rampant identity theft and online fraud.
Are you able to work out a bank to bank wire transfer, as a possible alternate means of payment?

Agreed, but it would really bug me to send this info via email without blacking out at least some numbers in my DL and/or card.

 

[Cerulean]

IDJ is trying to cover their bases and protect themselves in an era of rampant identity theft and online fraud.
Are you able to work out a bank to bank wire transfer, as a possible alternate means of payment?

But they are going about it in the wrong way. Email was not designed with data security in mind. There is encryption software, but the average person is not going to use this. Each account that email is sent to / from, exponentially increases risk.

There are so many secure portals available and alternative payment methods like PayPal that specialize in secure money transactions that there is no excuse for businesses to follow this type of process, as they are actually exposing every one of their clients to fraud risk.

If anyone has ever sent financial or identifying data through email, I’d encourage you to comb through emails and make sure they’re permanently deleted…

 

[RunningwithScissors]

I agree with @Cerulean

Plus, I would think if a vendor is concerned that the buyer being legit and not trying to scam/defraud them, there are other ways to handle it. For example, how about having a wait time between when the buyer pays and when the goods are sent (to let the payment method clear) or asking for payment via bank wire etc. like @DejaWiz suggested.

I understand the vendor's concerns, there are so many scams/scammers out there, but there needs to be a way to handle it that doesn't put the legitimate clients at risk.

And while secure portals are better than emails, they aren't all that secure, a lot can still go wrong. We are human and there's a lot of user error (not to mention not all employees are scrupulous). My husband used to work in the Pentagon and their internal systems were compromised more times than you'd like to imagine.

 

[DejaWiz]

But they are going about it in the wrong way. Email was not designed with data security in mind. There is encryption software, but the average person is not going to use this. Each account that email is sent to / from, exponentially increases risk.

There are so many secure portals available and alternative payment methods like PayPal that specialize in secure money transactions that there is no excuse for businesses to follow this type of process, as they are actually exposing every one of their clients to fraud risk.

If anyone has ever sent financial or identifying data through email, I’d encourage you to comb through emails and make sure they’re permanently deleted…

I know that...which is why I suggested an alternative payment method.

 

[Bron357]

Unfortunately it’s because of fraud.
When you pay by credit card it could be a stolen card or you might be a purchaser who will deny the transaction was yours and do a charge back.
Its a big problem for vendors. Credit card companies have a lot of power, more than vendors.
As a buyer you might say “I won’t do a wire transfer because I might get ripped off”. Totally understandable.
As a vendor when the buyer uses a credit card, they might get ripped off.
Your ID proves it was you who instigated the transaction, your ID with address proves the mailing address and copies of both side of your card proves you actually have the card in your possession.
If your credit card had been stolen or misappropriated by a member of your household you would be happy that there were checks and balances to prevent fraudulent or unauthorised use. Vendors are just covering themselves because of the prevalence of fraud.
Would I want to give out those details myself? No.
But if I’m not in an actual store with my actual card buying an actual item and instead I want to use on line purchasing I have to accept there may be requirements from the vendor if I want to purchase from them.

 

[Wink]

As a buyer you might say “I won’t do a wire transfer because I might get ripped off”. Totally understandable.
As a vendor when the buyer uses a credit card, they might get ripped off.

This is exactly the reason why many vendors offer a substantial wire transfer discount. I always felt that my reputation was at stake if I did not send you what you paid for and it would instantly put me out of business. I declined more credit card charges than I accepted and was always sure I saved my company a lot of money by doing so.

 

[yssie]

But they are going about it in the wrong way. Email was not designed with data security in mind. There is encryption software, but the average person is not going to use this. Each account that email is sent to / from, exponentially increases risk.

There are so many secure portals available and alternative payment methods like PayPal that specialize in secure money transactions that there is no excuse for businesses to follow this type of process, as they are actually exposing every one of their clients to fraud risk.

If anyone has ever sent financial or identifying data through email, I’d encourage you to comb through emails and make sure they’re permanently deleted…

This.

And to add to Cerulean's point, it's not just that initial email itself.

Once they get the email, what will they do?
- Will they download these images to their own computer? If so, is that computer secure?
- Will they relay those images on to some other entity? How is that pipeline secured, how many hands will those images be exchanged through, and who is the ultimate recipient?
- Will they delete the images in a timely fashion? How long will that take, and how do they confirm deletion?

To be clear - I agree that there are two issues: What sensitive details are reasonable to ask for, and what media can sensitive details reasonably be conveyed through. I voice no opinion on the former. On the latter, though, a vendor that hasn't set up some infrastructure through which to request this information in the first place is also a vendor that is not going to be doing due diligence with that information once they've got it.

 

[foxinsox]

I used to travel a bit for work and was surprised to find just how many hotels in NZ do this too. They could never tell me how they ensured my data was being handled and stored safely, who had access to or how they were properly disposing of the copies of my card and ID they insisted on taking.
And every single time, they acted like I was the weirdo for asking and then pointing out that they had a legal requirement to handle it properly and if they couldn’t, they shouldn’t be collecting it. It was baffling and infuriating.

 

[max1111]

Sending that kind of data to a smallish company is asking for trouble. There are online verification services set up for this kind of thing.

 

[diamondyes]

Great question and great advice

 

[marymm]

Perhaps overnight-mailing the requested information to them would be a safer option?

 

[RingRingRingRingRing]

Thank you again to everyone who weighed in on this. I ended up emailing Donna at IDJ back and saying I wasn't comfortable with this and offering to complete the transaction another way (their website mentions accepting PayPal).

They wrote back saying they understood my concern but I needed to provide the info, though I could cross out the middle numbers on the credit card. They did not say anything about figuring out how to pay another way.

So I wrote back a second time, reiterating that I would not be comfortable with this, and specifically mentioning paying via PayPal instead since it is an option on their website.

I haven't heard back from them on that yet, but I saw that the charge has gone through on my credit card. I'm going to loop back to Yael now instead to check and see where things are at.

Again, I appreciate everyone's thoughts on this. I, too, totally understand the need for the vendor to have security against fraud. I just didn't feel comfortable with this color copy/email method.

 

[heididdl]

I bet no one on this feed has ez pass.......

 

[yssie]

I bet no one on this feed has ez pass.......

I do? I’m not following this train of thought, sorry.

 

[Rfisher]

Now I’m wondering on what level my toll road transponder sits on the conspiracy chart.

 

[Ibrakeforpossums]

That's wonderful!

 

[Lookinagain]

I do? I’m not following this train of thought, sorry.

Nor am I.

 

[Rockdiamond]

I do? I’m not following this train of thought, sorry.

I believe the reference is that when driving with EZ pass, your movements are being tracked by the government. I’ve even heard of cheating spouses getting caught by EZ pass

 

[Dhana]

But so does our phone.. I see Google maps tracking every place I have been.

 

[lovedogs]

I just went through this with james allen. In the end, I was able to "verify" using a work email instead of sending any pics of my ID/credit card. But I decided that if the work email hadn't been a successful alternative, I would have been willing to send a pic of my credit card with most #s blacked out. Of course that's just me, so i can't speak for anyone else's comfort level with this kind of thing.