I had an interesting correspondence with a customer today. But so we can keep it in perspective, I want to first mention that our phone message at WS states that we do not have conventional hours... (I jump locations and work from my car quite often). So moving forward, a customer left us a message as well as sent us an email that I responded to.

At fist I gave no deep thought to it but then I got to thinking, exactly what made her say “I trust you guys” after just stating that they were a victim of identify theft?

Clearly she is not going to dish out her card info to make an online purchase, but wait; we are going to process it electronically ourselves, how is that different? I am going to call her when I get a moment and see if she can further educate me. I would really like to learn more about this for many reasons, but most importantly, what can a web merchant do to win them back, if anything.

Think about this, if you experienced something like check or mail fraud, do you stop writing checks or using the mail?

Customer email: “Very cool.  Thanks a bunch.  I would prefer ordering over the phone as I had
an issue with identity theft.  I trust you guys, just not putting any
financial info on the computer anymore.  What time will you be back in the
office…”

FYI I made this a new post because the original one was trashed.

Ha ha ha ha... man I am the wrong guy to ask on that one... I am with her.

I know too many guys in the security (cough.. hacker...cough) industry and have been hacked myself .. and many attempts to be phished and so on and so on....

I haveee PayPal .. hooked up to bank.... DATS IT.... I need another option? Pre-Paid card... can't get screwed that way. I simply am not at the point where I am all that comfortable using a CC online. I know better...

Further more merchants (in states at least) are required to purge their CC DBs every six months.. Do they? I have seen many cases of OOOPS where they hadn't and when hacked... POOOF... yer screwed. What about eshops in the rest of the world? Do they purge CCs on a regular basis? I doubt it given the average knowledge in this area by our ecommerce clients. So your data could be lying around out there for YEARS.. some site owner doesn’t update the latest patches of their cart and WHAM…. To Russia with love

You couldn’t get a live CC outta me… a small Pay as You Go.. Mastercard? Sure.. go nuts. I can throw it away pretty easy… screw u Russia

(did I mention the Russians hacked a site of mine this week? Ha a ha ha… or could ya tell?)

Heck, most of the merchants taking cards don’t even know what PCI standards are. And the current PCI compliance program is muddled in red tape that they actually had to offer huge extensions for qualifying merchants/processors because they are not able to figure out how to be in compliance.

So how do your customers pay you Dave?

waveshoppe wrote:

Heck, most of the merchants taking cards don’t even know what PCI standards are. And the current PCI compliance program is muddled in red tape that they actually had to offer huge extensions for qualifying merchants/processors because they are not able to figure out how to be in compliance.

So how do your customers pay you Dave?

Customers?? What's a customer?? aaawwww craaaap.... I knew I missed something in the business plan. Anyway, U can continue that one via email man.... not one I am having in public... tnx ...

I have no solution for winning back possible customers who have had identity theft or bad experiences on the web but thought I would share a story about a really interesting client I had a couple of years ago.

The web site was a corporate e-commerce site and large enough I hired a really smart young man to assist getting their internal architecture up to modern standards.  The old 486 computers some employees were forced to use wasn't cutting it.  We found that the server used as the main frame not only connected to their local network but directly into the internet.  No monitoring of any kind was in place on the database which held tens of thousands of name, addresses, and credit card numbers.  The owners who were in their seventies felt that because they used legacy DOS applications they were immune to any kind of intrusion or attack. 

We set up a demonstration for the owners of the company who wouldn't believe us, they were firm believers that technology was evil and less was better.   We invited them off site then Ryan remotely hacked their database. They were not nice people and I guess could best be described as 24/7 belligerent.  They didn't heed the warning, they didn't even believe the demonstration.   

So I know personally of at least one large database consisting of mainly doctors and RN's that is unsecured.  Ryan and I eventually walked away from the project because we didn't want to be associated with their company as technicians / web developers.  After we left we discovered we were the 12th company hired and had out lasted our competitors - I guess that was a small token after sticking out all the nastiness of the client.

It was a real eye opener for me that there are so many ways to lose an identity online.

well i know of one massive mobile phone retailer in the uk who keeps all their customer data, name, address, card type, expiry, start, issue, card number and cvn in plain text in a database.

plain text credit card details, no encryption on there at all and open to all the tech staff there to login and rape.

naturally, i'd never get a phone from them knowing what i know.......

there are big companies, who should know better, doing some pretty stupid stuff online like that.....

http://www.alistercameron.com/2007/09/2 … d-details/