23-Apr-2004 (Fri)
Wherein we find that the State Legislature is dumb, and so are banks.

Don't forget: ZOMBIE DNA this Saturday! I watched the rehearsal, and the show is going to be hilarious.

To nobody's great surprise, the proposal to move San Francisco's last call time from 2am to 4am was shot down by the State Assembly yesterday. According to John Wood of SFLNC:

The SFLNC is disappointed to announce that AB 2433, state legislation to allow for a later last call in San Francisco, failed to make it out of committee at the State Assembly, effectively killing any chance of passage this year.

While San Francisco officials were heavily in support of the bill, statewide anti-alcohol groups lined up against AB 2433, claiming that it would lead inevitably to later last call in other parts of the State. [...]

In addition, testimony from a mother of a person killed by a drunk driver clearly made the legislators uncomfortable in voting for the legislation. [...] Many democratic legislators left the room after the Mother Against Drunk Drivers testimony and did not vote, so there were not enough votes to move the bill out of committee.

So it was killed by the "if we can save just one child, won't it all have been worth it?" argument that prohibitionists of all stripes have been using for centuries. Well, maybe next year (though I'm not holding my breath.)


Our online ticket sales have been working out reasonably well, but the way address verification works sure is a confusing mess. We keep having people trying to buy tickets and finding that their bank has the wrong address on file (or the wrong zip code, or something) and so the address verification fails. When this happens, they try to buy tickets six times in a row, it doesn't work, and then finally they call their bank to find out what's up. The bank phone-monkey oh-so-helpfully tells them that their credit card was charged six times, and they angrily call us demanding we give them their money back.

The problem with this is that we don't have their money! They were never charged. Probably the phone-monkey said something like "your card was authorized for $20 six times", but phone-monkey helpfully doesn't bother to explain the difference between "authorized" and "charged", and the customer understandably freaks out.

It's just such an amazingly stupid system. When you place an order, the bank does this:

    1. Verify that sufficient funds are available.

    2. If so, place a "hold" on the amount of the transaction. (This doesn't take the money out of your account, it just reserves it. Banks call this "authorization".)

    3. Check that the address you entered matches;

    4. If the address matched, then transfer the money from your account to our account. (This is where your card is actually charged; banks call this "capture".)

    5. If the address did not match, then release the "hold" on the funds that was made in step 2.

Ok, what's wrong with this picture? Well, the first thing that's wrong is, why the hell do they hold the money before validating the address?? That's just insane!

Oh, but it gets better: because apparently some (many? most?) banks don't bother with step 5 at all. That's right, if you typo the address, they don't cancel the "authorization", so that money is in limbo until it times out. It's still in your account (it hasn't been transferred to anybody) but it's unavailable to you until the hold expires, which can take anywhere from a day to a couple of weeks, depending on the bank.

Combine this egregious design with the fearmongering being spread by incommunicative bank phone-monkeys, and you end up with unhappy customers thinking we're ripping them off. It's just great.

Banks are dumb.

30 Responses:

  1. bifrosty2k says:

    there's so much stupid tear-jerker legislation out there its not funny at all.
    Less booze doesn't cut down on drinking and driving, MORE COPS ON THE ROAD DO.
    Who likes cops? I usually don't...

    • lars_larsen says:

      A judge here sentenced a husband and wife to 8 years in prison for buying beer for their 16yo son's birthday party.

      The judge's daughter just killed herself in a DUI accident 3000 miles away the month before. SOMEBODY has to pay right?

      • volkris says:

        Talk about a case where the judge should have been excused!

        • lars_larsen says:

          As far as I know, they have a right to an appeal. I sure hope so!

          The thing is, the judge went off about his daughter during sentencing. If he was smart, he would have kept his mouth shut, and not given them grounds for an appeal.

          • kchrist says:

            If he were smart he wouldn't have let his personal problems influence the way he does his job, which requires him to be impartial.

            Do you know what actual crime they were charged with? I can't imagine buying alcohol for a minor being any more than a misdemeanor, which I believe usually has a maximum sentence of 12 months jail time (in CA at least, although I could be mistaken about that).

            • lars_larsen says:

              The funny thing is, buying their son alcohol was perfectly legal. Its just that they left it in their house and didnt stop other 16yo's from drinking it.

              According to the police, there was no evidence that anyone, underage or not drove drunk. The driveway was blocked and the parents had the keys of everyone there.

              In my state, its legal to buy your own child alcohol as long as you are on your own private property, it is just not legal to buy someone else's kids alcohol.

              They were charged with nine counts of contributing to the delinquency of a minor. Which in VA is a misdemeanor.

              They were originally sentenced to 8 years, but on appeal it was reduced to 27 months. Thats 6 months for each count, with 3 of those suspended for each count.

              A man shot another man 8 times here a few months later. The victim survived. The shooter was sentenced to 4 years. Half of what this couple were originally sentenced to for having a party.

      • bifrosty2k says:

        Sounds about right :)
        Its never an individuals fault...

        • lars_larsen says:

          Thats exactly what I was thinking. She chose to get drunk, she chose to get in the car and drive. But it's NEVER a matter of individual responsibility.

          Its society's fault man, ya dig? The media made them do it!

  2. down8 says:

    MADD is one of the most vicious lobbying groups in the US. I don't want to get off on a rant here, but I'd pay cash money to see a 'celebrity death match' between MADD and the NRA. While I'd be hoping for the NRA and our civil liberties to win, I wouldn't call it a sure bet - even with semi-automatic "hunting rifles". Those bitches are insane. Which is understandable, given their probable loss. But that's exactly why they shouldn't be taken seriously - they are hysterical, rich old house wives, who's money and lack of parenting got their sons/daughters killed.

    And don't get me started on the effect those bitches have on non-law abiding groups, such as the DMV. Those unfireable idiots don't care about logic, or the law - they just want to keep their funding. OK, getting angry. :^) I'm done.

    -bZj

    • coldacid says:

      I'm not one to put up dumb things like this (okay, I am, let's not debate it), but here's what Google Fight says on MADD vs. NRA:

      MADD (279,000) versus NRA (1,080,000)
      The winner is: NRA

      Shall I go for MADD vs. DMV next? (Kidding.)

    • unwoman says:

      Can we throw PETA in there too?

    • jayrtfm says:

      quote from http://www.alcoholfacts.org/CrashCourseOnMADD.html

      The founding president of MADD, Candy Lightner, left in disgust from the organization that she herself created because of its change in goals. "It has become far more neo-prohibitionist than I ever wanted or envisioned," she says. "I didn't start MADD to deal with alcohol. I started MADD to deal with the issue of drunk driving."

      • down8 says:

        Thanks for the link.

        Prohibitionist nutjobs.

        -bZj

      • susano_otter says:

        I heard the founder of Greenpeace left his brainchild to fend for itself on similar grounds. Now he works for the other side, apparently.

        Note to self: join the activists early, then get the fuck out before they lose sight of their original purpose.

  3. lars_larsen says:

    You should be able to bypass address verification. I wrote a billing system once that used authorize.net, and verifying billing information was optional. I had to turn it off because of the same problems.

  4. fo0bar says:

    From what I remember, at least from verisign's payflow pro system (which I last used 4 years ago), you can specify AVS information when requesting an authorization. If the information doesn't match up, the authorization is denied. Then you immediately do a capture (since you're not shipping anything, it's an immediate sale), referencing the authorization transaction, and you get the privledge of being reamed by their merchant feeds even faster!

    YMMV.

    • fo0bar says:

      Or should I say, "If the authorization is not denied, then you immediately do a capture..."

    • fo0bar says:

      Err, fuck, FEES, not feeds. I was working on some RSS stuff before posting this.

      This is not my night.

    • netik says:

      This is how authorize.net works, but verisign and authorize.net have _no control_ over what the banks do with the authorization. It just doesn't matter, and it varies from bank to bank.

      Jwz forgot to also mention that asking the bank to void the failed AVS transaction also sometimes doesn't work. This is just so lame.

  5. waider says:

    The fun that is pre-auth combined with a hokey online booking system enabled Aer Lingus to rack up €1,500 worth of "holds" on my credit card some time back. The phone monkeys at Aer Lingus and the credit card company both told me it was a hold and not a charge, but had differing opinions on the timeout - one said two days, one said five. "Yay"!.

    Oh, and I've worked inside the CC business. It doesn't make any sense from that viewpoint, either. At least, not to us code monkeys, anyway.

  6. What happens with those authorizations is the merchant requests an authorization through visa and the funds are available, the hold is placed because the bank is saying (electronically)"yeah, he has the money" When the address doesn't match (because the customer hasn't updated his address with the bank, or it actually is fraud, the merchant gets a denial from their system. Instead of contacting customer, they keep trying. There is a federal regulation E that states that a bank can only have an electronic hold on the funds for 4 business days before they either post the item to the account or release the hold and make the funds available to the customer again. A lot of times, if the merchant faxes a letter on letterhead or calls (depending on that banks policy) giving permission to release the authorization, it can be released right away ( within 2 hours for my bank).

  7. malokai says:

    address verification was added as an afterthought, and is only really done for american credit cards, at least according to my experience in the online gambling industry.

  8. veep says:

    What the hell is someone's kid doing out at 3:30 in the morning when I'm driving home drunk?

  9. online credit card payments are not at the point of workability that they frequently seem to be to those who have only had positive, normal interactions buying things. last year at work we had similar "got charged six times" nightmares that took me months to figure out. bah.

    i suspect that in the long run, paypal or similar services will come to the fore. there are still lots of kinks in that system too, but from what i've seen they're more easily solveable.

    if you guys come up with any clever ways around your current problem and don't post it, lemme know.

    • raindrift says:

      You can work around some of the poor design in AVS by authorizing a really trivial amount (like $0.01) to verify the address, and only then do an auth/capture for the "real" amount. This is how some gas stations will verify that a card is valid before allowing you to pump gas.

      Of course, this negates all the "better rate" benefits of using AVS, since you get charged for both transactions. In short, the system is fucked all around and there's nothing any of us can do about it.

      ...sorta like the California legislature, in a way...

  10. ronbar says:

    ...but I didn't see an LJ post of yours mentioning the problems you're having with the R2-D2 camera. Maybe it just needs a firmware update?

    Wait, I know! Write a perl script to automatically re-enter the positions into the camera every day! Or theme the web pages! Or recompile your kernel! Or change Linux distributions! One or more of those always seems to work for the slashdot crowd...

  11. supersat says:

    As far as I know, it's up to the merchant to reverse the card authorization if there's an AVS mismatch. I believe the intent behind this is to put the merchant in control to decide whether they want to accept the transaction or not. For example, the merchant could do their own additional authentication and choose to capture the funds (charged at a higher rate, I think). If the merchant doesn't reverse the authorization, the bank must assume they want to capture the funds later.

    To make matters worse, there are EIGHT possible AVS replies, five of which are "match" responses:

    Exact address + 9 digit zip match
    Exact address + 5 digit zip match
    Exact address match only
    9 digit zip match
    5 digit zip match
    No address/zip match
    Address unavailable
    Non-US issuer does not participate

    According to the VisaNet docs, these are all "approval" responses.

    If your bank happens to spit back a match response that your system isn't designed to handle, bad stuff happens. I once tried to order from asianmunchies.com, but had several AVS failures due to their ordering system not properly handling all AVS replies. My card works at almost all other online merchants too. Of course, since they were all authorizations, and they didn't reverse them, I had $60 on hold for a week.

    It'd be nice if you could set a flag in your authorization request that says, "don't authorize unless AVS matches," but no such flag exists according to the VisaNet docs.

    CVV2 (and maybe CVC/CID) mismatches don't seem to suffer from this retardedness.