problems when order 303 protectant

I highly doubt there's a "law" that dictates their practice. As you say, every web ordering site in the country would be violating that "law".

 

Camping World and most RV stores have 303 Protectant products.
Try www.campingworld.com

 

I bought it on ebay

 

Here's where I buy mine, for what it's worth. I buy it by the gallon, and they often have discounts.

I've bought lots of stuff from them over the years, and they've been great. Super customer service as well.

 

Here is what I think is happening. Whoever is running the transactional capacity of their web site doesn't know how to harvest and transmit the CCV data. But their credit card processor won't take cards unless they get the CCV data. So, orders come in and they have to get the code from the consumer through some other means, in this instance telephone or email. Email is a totaly dumb way of getting CCV data. Telephone is better.

As for the illegality of not providing CCV data, that is also dumb. They should have been honest with you, "our card processor requires the CCV code to complete the transaction and we do not have the ability to collect that data from our web site at this time."

The financial services industry is always working on new ways to prevent credit card fraud. Next time you are out to dinner and are paying at a till or you are paying with plastic at a place where a clerk swipes your card, they may be looking at the back of your card not only for your signature, but also for the CCV code. It used to be that when swiping your card (and it still is the case with some readers or transaction processors) that the clerk would verify the card by typing into the terminal the last 4 digits of the card number. That would be the signal to the unit that the card was valid. Currently the trend is to not verify the last 4 of the account number but to verify against the CCV number. However with the advent of white plastics being encoded with stolen credit card numbers another method of determining card validity had to be implemented. The CCV number is there to do that. Rather than verify the last 4 of the account number using the CCV gives another set of numbers to verify that the card in the vendor's hand is valid and not a fradulent card. We see the required field for the CCV number at major internet vendors.

As for 303's site, I have not been there yet, but I'm inclined to believe that they might not be using as sophisticated software as Amazon. They might even be using a database to collect customer orders and card information and then hand entering that into a card terminal to process their transactions. I've purchased from a number of smaller web sites over the years and have received receipts with the merchandise I ordered which were definitly generated on a card machine, not through some other interface to the credit card processing network.

My inclination would have been to provide them the CCV number only if I had called into their customer service line (not received a call from their service department). That means that they are doing due dilligence to help prevent credit card fraud. Remember, a CCV number is unique to a credit card number and vice versa. A fraudster with only a credit card number can't do as much damage now if they don't have a CCV and a fraudster that doesn't have your credit card number but had a CCV can't do jack and can't extrapolate anything from only a CCV number.

 

There's nothing illegal about asking for the 3 digit code. The law has nothing to do with it. All merchants must follow a set of standards, but only because their merchant agreement (contract) makes them. There is no "law," just contracts. The company is doing nothing criminal.

HOWEVER!!! It is a violation of the merchant agreement to store a CVV/CVV2 number after payment authorization (you can't even store it on paper). The fine is $50K each incident, if caught.

I would say that e-mail is absolutely an unacceptable way to ask for a CVV number or any other type of credit card data because: 1) it is not secure (unless you two are pgp or otherwise encrypting your messages with > 1024 asymetric keys or > 128bit symetric keys. 2) it is very likely that the number will be stored e.g. on backup tape or in the "deleted messages" folder of someone's email. 3) Since you can't enter a cvv separate from a card number, that means the vendor is taking your credit card data, storing it and running an authorization later. Very dangerous that is.

For small companies, it is safest to take the data, run the transaction immediately and store only the transaction ID numbers (and possibly the last 4 digits of the card). This means using an on-line authorization provider like verisign or others. That way the company minimizes their exposure. Hackers can only steal transactions as they happen, but can't get a master list of all credit card data for all past transactions. I work at a $2billion/year organization and our main e-commerce site never stores card numbers. We let the banks do that.

In any case, the vendor doesn't know what they are talking about when processing credit cards. I personally prefer vendors that care enough to do things right in all aspects of their business.