This is one in a series of posts about business processes that are calling for "angioplasty"
Almost 20 years ago, I heard this story about American Express. They were rolling out pattern recognition software to detect unusual card activity. The day the software went live a charge was approved for an 8 digit dollar amount. The software test manager's heart sank. Surely, the software should have caught something that big. Back to the drawing board ...till they investigated and found that it was from an Arab sheik with considerable net worth...and the charge had been pre-approved. The software had worked fine.
Fast forward to today. Chase recently bought the issuer of one of the cards I use regularly. They should know from my patterns that I travel a fair bit. Yet every few months they will call because they have noticed some “irregular” activity.
Last Thursday while I was in Houston I got one of those messages from Chase. On Friday morning I got another call. I called them -after the automated system has asked several screening questions they transfer me to an agent who proceeds to ask the same questions. Not a good start. I ask him what irregular activity they have noticed. The conversation goes like this
“Oh, we wanted to ask if you have received the new card we sent you as part of our re-branding?”
Is this a marketing call?
“No, can you verify 3 transactions”
One was for $ 6, one was for $ 8 and one for $ 15. I confirmed they were mine and asked him why their software was flagging such small transactions when I travel all the time.
“It’s for your protection”.
Then, “We need your home number”.
You already have it in my profile. You left messages on that number asking me to call you urgently.
“Please confirm it”.
I asked why since they had already asked several profile questions at the start
“It is our security procedure”
Then he wanted more personal data. At this point I refused to provide any more information.
“We are going to have to suspend your card”
When I asked to speak to his manager the guy hung up on me. I called back - same automated, then human screening routine. I asked the second agent about the previous agent who had just hung up on me.
“No idea – there is no record of your last conversation.”
Wow – so much for date/time stamping such security conversations. So I asked to speak to a manager. 15 minutes later she apologizes and assures me the card is not suspended. I asked how come they call every few months, when Amex does not need to.
“We are not Amex”.
The icing on the cake? The next day when I checked my messages at home, there were 2 more messages – - "please call the fraud center to discuss some unusual activity on your card"….I ignored them.
Another time, I used a card to make a phone call from
If card companies are really, really concerned about security, they should
a) quit sending out so many cards in the mail – pre-approved often without people soliciting them
b) have merchants quit printing out transaction slips with complete card numbers and expiration dates (many merchants will mask some digits of the card – but a thief with access to slips from 4 merchants could string together a valid card number)
c) have merchants verify driver’s licenses for larger amounts.
d) have merchants match your signature at back of card with the transaction
slip. It is pretty common around the world to do that, but not in the
e) make available approved transactions real-time for review on their customer web access sites. There is often a 2-3 day lag. I try to check on my major cards once a day. Involve customers in monitoring their own activity
f) make it easier for customers to communicate on-line any changes in their patterns – I usually call in to tell card companies when I am overseas. I wish I could just turn a switch on-line. The Paris suspension could have been avoided.
g) take the money you are using in ads telling the world you are serious about identity theft and improve your processes – and get more sophisticated pattern recognition software like Amex appears to have.
Author's Note: I recently found you can "opt out" of getting unsolicited credit cards in the mail with one phone call - see this FTC page.
