Whenever we’re explaining one-click payments to our partners or clients, it’s always good to add the “just like Amazon or Apple” phrase. In most cases it says more than any detailed description would and there’s always the “big brand effect”. Of course one of the greatest advantages of one-click payments is that this solution is fast and convenient. That’s why when making a purchase, I was a bit surprised that Apple asked me to provide additional specific documents in order to prove my identity. But, as I wrote recently, confirming my identity is completely understandable in some cases. What struck me was the way it was handled.
Before I tell the story, I have to clearly state that this was a local Apple department (not the US Apple), but after some googling it looked like the same department contacts also, for example, UK customers. We also do not intend to mock or criticize Apple – we just want to present an interesting case study and an example that even really big brands either make mistakes or sometimes do not fully control their representatives.
What exactly happened?
I placed an order, paid with my card and waited for the delivery. But after one day I received an email saying that Apple would like to check my identity and whether I’m authorized to use the card. I was supposed to send jpegs with my ID/passport/driving license AND my bank account statement with my name and my card number visible.
‘Ok, something is phishy here’, I thought. The email itself looked like a standard message. And yet it contained a lot of punctuation mistakes, wasn’t even personalized (“dear customer”) and looked too unprofessional. A lady signed it, but there was no information how to contact her, not even an email address. I could only reply and send my documents to “eurofinance”…
The first thing I did was googling for similar cases. I didn’t get many results, but the ones I found were all of the same kind: “what should I do? – don’t send them anything, it’s probably a scam!”
Alerting, but not reliable. So I asked some of my friends.
‘Did you ever pay with a card in Apple Store?’
‘And were you supposed to prove your identity?’
So I called Apple. I spoke to a nice lady, who confirmed that the email was sent by their finance department, but she couldn’t answer any of my questions. And I had a lot of those.
But first thing’s first. I replied, sending a scan of my ID and a question about the bank statement. There was no chance of getting what they asked me for, since a bank account and a card are separate things and my bank doesn’t include the card number on the bank account statement (besides, I have two or three cards assigned to the same account). I could send the card transaction history, but they wouldn’t see the Apple transaction, because the funds were only blocked and there was no actual transaction. I wrote all that and they asked me for a scan of my card.
I was pretty determined to finish this, so I sent the scan. I was just waiting for them to ask me for a scan of the back side as well (where the CVV number is) – that would be too much. Fortunately, they didn’t.
They also didn’t answer any of my questions, nor did they write anything like “thank you for proving that you’re yourself, we’ll proceed now”. The lady I spoke to on the phone gave me her email address and was the only person who didn’t avoid or ignore me, but couldn’t help me.
The email contained some strange statements, but what struck me most was the reasoning for asking me for additional documents. Let’s take a look on what Apple wrote me and how I understood it.
‘According to the Apple terms of sales, the merchant reserves a right to verify the customers identity.’
Well, sure, I respect that. The thing is that I cannot find any part in the said terms (applying to my local Apple department) that would refer to my situation. There were such terms, but only in reference to credit cards and wire transfers. Nothing about debit or prepaid cards (or any other payment methods). And I happened to pay with a debit card.
‘This action is related to the fact that it is impossible to collect the cardholder’s signature during the sale and is only performed in order to secure the card holder from unauthorized usage of his card.’
Now this is strange. I have never had to sign anything when using this card, no matter whether it was a terminal in a restaurant/mall or I was shopping online. If the amount is significant, I have to enter the PIN and that’s all. The signature thing is absolutely unclear to me, both in reference to the payment method and online shopping in general (what would they compare it to anyway?).
As to the security… Well it’s really nice that they care about me. The thing is that I’m paying with a card not only because it’s convenient, but also because I feel extra secure. Double-insurance, a chargeback possibility. If they were trying to protect anybody, they were protecting themselves. Of course I’m not saying they shouldn’t or that it’s bad, I simply don’t like to be told that it’s the other way around.
After asking me for the document scans, including the impossible bank statement mentioned before :), the lady writes what follows:
‘After finishing the verification, all the documents will be destroyed.’
Phew, now that made me wonder! These are computer files, how are they planning to destroy them? Deleting isn’t destroying. Are they going to overwrite the hard drives with only ones or zeros and treat it with a strong magnet? ;) I admit I had a good laugh about it, but I also asked about this issue (after all – why not?).
What actually happened?
I’m not sure, but I can only assume that Apple felt alerted, because my first transaction didn’t come through. I simply keep low limits on my card and I forgot about it. I changed them, tried again and paid successfully. However, if a transaction is rejected (and Apple doesn’t know more, they get “transaction rejected” from the issuer and that’s it) and after a while the very same transaction for the same amount passes through, people get suspicious. Imagine someone trying, for example, to brute force the CVV2 number. That could be the case. Of course one would be extremely lucky to hit it with the second shot, but nevertheless…
I guess that’s why they wanted to make sure and it’s quite understandable that they did.
So what was wrong?
Obviously the way they did it. Imagine that the email I received could be sent quicker or even automatically. It could be personalized, contain more information, be written correctly and not make me suspicious about whether it’s real or just a phishing attempt.
And later – why the complete ignorance? It’s been over a month now since I started sending them questions and follow ups. And I have even explained that I’m simply curious why it turned out like this and that answering will be good for both sides – I get my answers and they get a chance to improve their communication (I wasn’t the only one confused). Besides, there’s a good chance they could improve their Terms of service as well, as it looks like someone just translated them without knowing the subject very well.
I know they get my emails (they used provided information to complete my order), I just cannot understand why they keep ignoring me.