How $1,100 in Fraudulent Charges Encouraged Me

December 29, 2011 - Security

Community WatchI was recently surprised by a “please see attendant” message on the gas pump after swiping my debit card. What the…? I had just used it for lunch the day before. I went home, checked my online activity and everything looked fine. My bank was closed for Veteran’s Day so I couldn’t call anyone to figure out what was going on.

The next day it was all too clear what had happened.

22 transactions from an iTunes store in Luxembourg for $99.99 each along with one for $1 were all pending on my account. First thing Monday morning I called the bank, who directed me to call Apple, who said they need a charge back request, which can’t happen until the transactions actually post to the account. By Tuesday about $1,100 worth of transactions cleared and the rest were rejected. Wednesday afternoon was spent at the bank. After almost an inch of paperwork and the police report I had to file just to get the process started, I finally had a charge back in process (the money was refunded less than a week later).

A week or so later, I got an email from winelibrary.com saying their site had been hacked and payment card information was compromised. Well there you go.

So how could this experience possibly be an encouragement to me?

I was encouraged because it reminded me why I care so much about, and have spent years of my life working on, security. At FoxyCart.com, we’re almost fanatical about it. We spend a large portion of our revenue constantly improving our systems and ensuring we’re with one of the most secure hosting facilities available1. We’ve done extensive penetration testing and we’re finishing up our audit (last week) to become a PCI Level 1 Service Provider. Are we invincible? No. No one is. But we’ve spent years and more money than I want to say taking this issue very, very seriously.

If you run a business that processes payment information (or you’re thinking of starting one), please, do yourself a favor and read our wiki page about PCI DSS. If you don’t treat this seriously, it can destroy your business. The fines alone can be hundreds of thousands of dollars, not to mention the damage it does to your brand and your reputation.

I’m not mad at Gary Vaynerchuck or at Wine Library. Their staff is going through hell right now and they are doing a great job, including a personal phone call I received after replying to their email. What I am upset about is that this didn’t need to happen. They are good at wine. It’s what they do. They should have left the e-commerce security to professionals because it’s what we do. Having an in house team wasn’t enough in this case.

If you’re building an online business, please do your homework. Know the full costs and risks involved with using a hosted or self hosted solution. If you don’t use us, find another secure hosted solution or use tokenization so payment card data is never stored (which, I’m happy to say, Wine Library’s new website takes advantage of). Another option is to offload everything to PayPal or Google Checkout. Don’t take these risks on yourself unless you have a team of people dedicated to security.

I now have personal experience with the drama created when a payment system isn’t as secure as it should be. It’s really frustrating. I’m encouraged because I believe the business we’ve built will spare hundreds of thousands of people from experiencing what I went through.

Your customers deserve to trust you with their payment information. Don’t let them down.


  1. We do use affiliate links sometimes, but only when we actually believe in a service enough to put our reputation on the line by recommending it. In this case, our secure application environments (both our primary and our hot failover) are with Firehost, so we obviously trust them enough to recommend them.