Post-transaction marketers Webloyalty, Vertrue, and Affinion have attracted criticism for solicitations that tend to deceive consumers. Their services typically entail recurring billing programs that promise a savings or discount, but actually charge users on an ongoing basis. They promote these services while customers are finishing the checkout process at trusted e-commerce sites -- a time when few users expect unrelated offers from third parties. Furthermore, they obtain consumers' credit card numbers through "data pass" relationships with partner sites -- so a user may enter a billing relationship and face credit card charges without providing a card number to the company that actually posts the charges. Details on post-transaction marketing, including documents, expert testimony, and victim testimony.

Post-transaction marketing has given rise to numerous complaints, including multiple consumer class actions, multiple attorney general lawsuits, and a Senate Commerce Committee investigation. Despite these attempts to spur reform, key practices continue unchanged in relevant respects -- including showing offers during checkout at affiliated merchant sites, touting offers as "savings" when in fact they carry monthly fees, and obtaining customers' credit card numbers from affiliated merchants.

If private litigation, public litigation, consumer outcry, and regulatory scrutiny cannot stop post-transaction marketing, I suggest an alternative: Strict enforcement of payment card network rules which already disallow core post-transaction marketing practices.

Prohibited Automatic Transfer of Payment Card Numbers

Post-transaction marketers automatically receive customers' payment card numbers from the merchants where customers are attempting to complete a check-out process. This transfer violates applicable card network rules:

Visa's Rules for Merchants prohibit the automatic transfer of customers' card numbers. Visa rules provide that a charge may occur after "the cardholder provides the merchant with the account number" (p.7) (emphasis added). No rule authorizes charges without the cardholder providing an account number. Furthermore, Visa requires that merchants "keep cardholder account numbers and personal information confidential" and provide that such information "should be released only to your merchant bank or processor, or as specifically required by law" (p.12) (emphasis added). Transferring a card number to a post-transaction marketer does not fit any of these narrow exceptions and is therefore prohibited.

MasterCard's Rules specifically disallow automatic transfer of customers' card numbers. MasterCard rules provide that "a Merchant must not sell, purchase, provide, exchange or in any manner disclose Card account number, Transaction, or personal information of or about a Cardholder to anyone other than its Acquirer, to the Corporation, or in response to a valid government demand" (p.5-11) (emphasis added). Transferring a card number to a post-transaction marketer does not fit any of these narrow exceptions and is therefore prohibited.

American Express's Merchant Reference Guide prohibits the automatic transfer of customers' card numbers. American Express rules provide that "Merchants ... must not disclose Cardmember Information... other than to facilitate Transactions in accordance with the Agreement" (p.7) (emphasis added). No provision of the agreement authorizes a merchant to transfer a customer's card number to another merchant. Furthermore, for a card-not-present charge, a merchant "must ... ask the Cardmember to provide: ... Card Number" (p.12) (emphasis added). No provision authorizes a merchant to obtain a customer's card number in any way other than by asking the customer to provide such number. Thus, post-transaction marketers violate American Express policies when they obtain customer card numbers by making copies from other merchants.

Failure to Request Card Expiration Dates

Visa's Rules for Merchants require merchants to request payment card expiration dates. Visa states: "Whenever possible, card-not-present merchants should ask customers for their card expiration ... date" (p.40) (emphasis added). It is certainly "possible" for post-transaction marketers to ask customers for their card expiration dates, but post-transaction marketers do not do so. Through this failure, post-transaction marketers fall further short of applicable Visa requirements.

Failure to Notify Customers Before Each Recurring Billing Charge

Visa's Rules for Merchants require notification to each customer before each periodic charge. For all recurring transactions, Visa indicates that merchants should "notify the customer before billing ... at least 10 days in advance [of each billing] ... [including] the amount to be charged" (p.52) (emphasis added). While Visa describes this notification as optional ("should"), the principle is clear: Notify customers before each charge so they have a meaningful and timely opportunity to decline. In contrast, post-transaction marketers routinely charge customers' Visa cards without such notification.

Failure to Confirm Payment Method

Visa's Rules for Merchants require that a merchant confirm a customer's preferred payment method. Under a rule entitled "Confirm the Choice," Visa explains a merchant's obligation: "To avoid any kind of misunderstanding about the customer’s choice of payment, merchants should include a confirmation page or voice confirmation that specifies the payment option selected (e.g., Visa, Mastercard, Star, etc)" (p.15) (emphasis added). While Visa describes this confirmation as optional ("should"), the principle is clear: Confirmation pages provide an important mechanism for confirming a customer's intent to enter a paid relationship. By skipping such confirmation, post-transaction marketers violate Visa's guidelines.

Failure to Identify True Merchant Name with Required Prominence

MasterCard's Rules require each merchant to clearly notify consumers of the name and identity of the company that will charge their cards. MasterCard requires that merchants "prominently and unequivocally inform[] the Cardholder of the identity of the Merchant ... so that the Cardholder can readily distinguish the Merchant from any other party" (p.5-3) (emphasis added). In particular, MasterCard requires that the Merchant's site must "prominently display the name of the Merchant ... as prominently as any other information depicted on the Web site" (p.5-3) (emphasis added). In contrast, post-transaction marketers widely fail to present their names with the requisite prominence. For example, recent screenshots from Robert Meyer of Wharton show that post-transaction offers at VistaPrint and Intelius appeared with large and prominent VistaPrint and Intelius branding, but small-type reference to the companies that would actually charge customers' cards -- exactly violating MasterCard's requirement that the merchant's name be as prominent as any other information on the page.

Card Networks Should Take Action To Stop These Violations

I recognize that card networks cannot police all improper charges that pass through their systems. But post-transaction marketers deserve special scrutiny from card networks for the threats they pose not just to consumers but to the payment card system.

For one, post-transaction marketers attack the trust and accountability required for consumers to rely on payment card systems. To feel comfortable using credit cards online, consumers need to know that they will be charged only by the sites they specifically authorize -- not by interlopers and tag-alongs. Conversely, if consumers cannot trust merchants to hold their card numbers in confidence, consumers will be less inclined to use payment cards.

Aggressive post-transaction marketing tactics also undermine efforts to improve online payment security. In multiple respects, post-transaction offers emulate Verified by Visa, MasterCard SecureCode, and other efforts to reverify consumers' identifies to reduce online credit card fraud. (For example, like post-transaction marketing, these reverification systems appear during the checkout process. And with recent post-transaction marketing moves to request final digits of a card number, both post-transaction marketing and reverification systems require customers to type an extra code during checkout.) As customers begin to realize that post-transaction offers are unwanted, customers may be less willing to participate in genuine reverification systems -- reducing the effectiveness of Verified by Visa, MasterCard SecureCode, and similar systems, thereby increasing merchants' costs. That's particularly unfortunate: Reverification systems effectively address many kinds of payment card fraud, and merchants and networks have built these reverification systems at considerable expense. Card networks would be ill-advised to let post-transaction marketers undermine the credibility of these important reverification systems.

My suggestion is simple: Payment card networks should enforce their stated rules. At all three major networks, rules require merchants to keep card numbers confidential -- prohibiting merchants from passing card numbers to business partners. Rules about customer notifications, confirmations, and disclosures are equally well-taken. I appreciate card networks' efforts to draft these rules, and the specifics of these requirements are well-taken. But rules alone are not enough. It's time for the rules to be enforced.

Correspondence with Credit Card Networks

On November 30, I sent letters to the general counsels of card networks identifying card network rules that are violated by widespread post-transaction marketing practices. See Edelman letter to Visa, letter to MasterCard, and letter to American Express.

On December 3, Chairman Rockefeller sent letters to the CEOs of card networks seeking information about applicable policies, as well customer complaints and chargebacks. See Rockefeller letter to Visa, letter to MasterCard, letter to American Express.

A May 2010 Senate Commerce Committee Supplemental Staff Report indicates that Visa informed the Committee that Affinion, Vertrue, and Webloyalty failed to comply with four different Visa operating regulations. However, American Express claimed that cardmembers granted "express prior consent" for their card numbers to be passed to Affinion, Vertrue, and Webloyalty -- a claim that the staff report says is "not consistent with the evidence obtained by the Committee in the course of its investigation." (p.18)

Posted: December 4, 2009.
Last Updated: June 7, 2010.
Sign up for notification of major updates and related work.