Monday, July 07, 2008

How not to make Money, or How Valve's Steam Service Sucks

One of my big pet peeves is when fraud prevention systems become customer prevention systems. I was actually going to comment on how cool the game Portal is, but getting an impulse buy declined always irritates me.

Valve's Steam service takes it to new extremes. Every other month or so (when I am trying to buy a $9.99 add on or something else impulsively), all my credit cards and my paypal account are declined with no further details available. Support always answers with the same response "you were flagged by our fraud prevention system". Once, I could possibly understand if I mis-spelled my address, or was buying from an unverified PayPal account. AVS will flag that.

Right about the sixth time, it gets rather old.

Of course, the fools answering the questions for Valve have no idea how basic credit card fraud prevention is done, and so generally make something up that's easy to call BS on. They're also not interested in fixing it or it would probably not have happened the third time.

Obviously, it flies in the face of instant gratification, and makes you wonder who the dork that failed Comp Sci 101 was that failed the class was that implemented is, and who the 3rd rate MBA/accounting drop-out was to come up with such "restrictive" (as in stupidly anal) requirements instead of actually thinking about the problem.

Valve's Steam has:
  • Subscriber name, DOB, address, email
  • The Steam fat client has no trouble uniquely identifying a machine (think MS's unique machine identifiers), and the user that's logged in, and any file on the machine (think browser history and cookies)
  • Credit card history for steam accounts
  • Access of PayPal records for purchases made, plus access to PayPal's fraud prevention system
  • The ability to verify that all of this stuff matches
Effectively, everything about you but a DNA sample. Obviously the privacy implications are scary, and it's safe to say they care more about their bottom line in terms of credit card chargebacks than they do about your privacy. I am willing to bet money that their security scarcely exceeds PCI data security standards, and it's likely that also got "exemptions" for reasons of their "business model."

So, given a perfect match, why say no to money?

All online businesses have more fraud exposure than brick-and-mortar ones. A "card not present" transation is not guaranteed by the card issuers. If you're an online vendor who gets enough disputes to charges filed (called chargebacks) your per-transaction fee goes up, and the amount of scrutiny the credit card companies give you in terms of the PCI security standard. A criminal can walk into a jewelry store and max out your account with a re-printed credit card, and stores don't bother verifying ID or signatures because they're protected from fraud - the onus is on you to prove you didn't buy it.

However, I can buy a $1500 notebook PC from mwave with my credit card, shipping address that has to match my billing address, and the CCV2 code at the back of the card. Somehow being more risk averse than for sub-$50 purchases is beyond my ability to rationalize.

In short, Portal is a great game. Good luck buying it, but then, it's just as cheap in the store. So much for passing along savings to the consumer, huh?

Labels: , ,