I had an interesting (and briefly worrying) authentication crisis yesterday. I've been looking for some toys (for me) and found exactly what I wanted at ThinkGeek. I've bought some stuff from them before and have generally been happy enough with the service. I can't recall if my order was delivered relatively quickly or not but I got what I ordered and nothing particularly untoward happened.
Last night ThinkGeek's credit card handling routine couldn't deal with my credit card details. It barfed when I entered the various numbers and told me to be careful because even though it was refusing to accept some unspecified aspect of my card and personal details an authorization against my card had already gone through. Now the amount was small enough - a few tens of dollars - and I really wanted the thing I was ordering so I assumed there was some minor problem so I tried again. I double and triple checked my details, went back to my Credit Card Bill and made 100% sure that the data I was entering matched the card precisely right down to capital letters and punctuation in the address. Barf again, and I got the same warning again.
Now I was a little worried - was there actually something wrong with my card? So off I went independently (ie on another PC) and checked it, there were no apparent problems with it that I could see and the Card company are pretty good these days about calling me up when they think something odd is up. That said you cannot ever see what items have been pre-authorized and those flags against your card account can last a long time if not cancelled by the vendor.
I did some checking and found this rant from Larry Osterman which seems to explain why my order was refused but doesn't really explain why ThinkGeek's ordering process doesn't let me know about these requirements in advance. Now in my case I've ordered from them before using this very same credit card but I have moved address and I do live outside of the US so I clearly fall foul of their new order processing requirements. It's possible that the order failed because of this, or perhaps my card supplier was down and couldn't validate my new billing address, or possibly ThinkGeek's ordering system just broke temporarily. What bothers me most about this is that I was now left with a card that I was unsure of, even though I'd done nothing wrong.
As it happens the card is fine - I used it today to test it - and I still don't know why ThinkGeek's ordering system had such issues with me last night so I'm going to have to go back to them and ask for a bit more info.
The conceptual problem for me here though is that in this day and age this should not be happening - I shouldn't care. If the transaction fails then I should not be exposed to potentially having funds removed from my account in this way and if transactions succeed I shouldn't have to sit back and think about whether I trust the vendor or their Credit Card handling agency to protect my accounts details. Surely transactions should be secure (ie encrypted and authenticated) and atomic ( i.e. can only be used for the transaction they are intended to pay for) by now. When I pay a vendor for a specific transaction I shouldn't have to give them so many details about my account and identity that they could (if they were corrupt and chose to do so) empty my account. Likewise both parties should both be able to unambiguously identify that specific payment in the future, uniquely. Furthermore no vendor should need to get any corroborating ID data from a customer - surely they should just ask the payment processor if it is willing to pay for the transaction and if the it says OK then the vendor should feel well enough protected to proceed. Consumers shouldn't have to be worried about inept or corrupt vendors (not that I think ThinkGeek are either of those), accidents or misunderstandings should be automatically damage limited by restricting transaction replayability and consumers should have a robust, easy to use and secure mechanism that allows them to fully control what funds move out of their account. I used to have a system that gave me some of this (the old AIB O-Card that generated single use time constrained disposable credit cards) but it only dealt with one side of the problem. I'll be posting some more thoughts on this over the next couple of days. It's amazing that we do any business at all online given how poor the current system is - most people must be very trusting and even more surprisingly most people must be scrupulously honest for the current system to work as well as it does.