Interestingly, the CBA indicate that a DD may be arranged using only the card details. While it should appear as a card payment in the account, it still looks like it requires a DD authority to operate. Is this what actually happened in the original case we are discussing?
From CBA on this matter:
To do this, you’ll need to arrange a direct debit authority and give the merchant or service provider your card number, expiry date, and 3-digit CVV number on the back of your card. This allows the merchant or service provider to charge your debit or credit card.
As the email is so unclear, it is relatively useless as a means to disentangle what has actually occurred.
On a bank statement or online account, banks we deal with state if they are direct debit through a direct debit facility (providing bank account details) or automatic debit using a card payment. It was very specific in the OP that it was a direct debit using a direct debit facility (with bank account details) and not a automatic card debit.
As explained above, Tangerine website explain that providing bank details at account setup will be used for direct debits. This will explain why a direct debit facility using bank account details (as outlined in the OP) was created by Tangerine and resulted at a later date a direct debit of $100.
The setup of the direct debit facility at signup might have been an oversight by the account holder or not obvious enough through the account setup process. I haven’t used the account setup process with Tangerine to see which it was, but, the website is clear that this occurs.
Just to clarify, do you mean they debited your account using a direct debit (using BSB and account number) or was it a debit that occurred through your card details?
As you are certain that you didn’t supply account details for a Direct Debit Authority? The email indicates that it was card details that were “detected”, this does not provide account details, so it is unlikely that any account details would have been compromised from that. However if the $100 was deducted as a card payment directly (and without your knowledge or approval) from your account this would be a different matter, particularly if you did not authorise the storing of those details for that purpose.
I did not supply my bank BSB number or my account number and I would never have given the 3 number code to any organisation to keep on their system. I have sent a email to the person who English is not their first language, but practice makes perfect, asking how my bank account details ended up in their system and I am awaiting a response.
It is unfortunate consequences when service centres move offshore to save a few dollars - making prices cheaper.
Is the services with Tangerine for the NBN?
Generally with NBN, there are upfront setup fees which need to be paid on signup (mobile can also have upfront fees as well such as first periodic payment upfront before mobile service is provided).
Can you remember how these were paid for? If you have bank statements going that far back, I suspect it will be by direct debit. If it was by direct debit, providing your bank details at signup would have automatically given Tangerine the authority to set up a direct debit facility. You must have given the bank details at sometime otherwise they wouldn’t have them.
Alternatively, if you signed up over the phone, can you remember how you paid for the upfront fees? Details would have been given to Tangerine which they recorded against the account. In such case, it could have been any payment method. As you prefer not to give out your card’s CVV number, this will possibly also be your bank details.
The upfront fees would need to be paid to allow services to be provided. This is most likely when Tangerine obtained the details.
There are various options for paying for a new service with a new provider. I’ve variously paid by Credit card, or perhaps once by BPay on receipt of the contract and setup bill.
In addition with a new service one needs to provide sufficient ID. Typically it includes a photo ID plus the verified details of a bank issued card of some type or … various more difficult to provide support.
It used to be when we first had mobiles and the internet one could simply make a phone call to Telstra. On provision of your home phone number, account number and name nearly anything was possible. A new mobile complete with SIM card could turn up in the mail no more questions asked.
If at anytime one has provided details of a credit or debit card, whether as ID or over the phone/online for a payment it’s possible those details were kept by the business. These days they are not supposed to, however not every business is so careful. I recently booked accomodation direct. When making a change and settling the final payment the provider said they did not need my CC. They still had my details on file from the original prepayment.
It will be enlightening to hear how Tangerine came to acquire the necessary card or account details, whether it was done properly, whether they under Australian law were entitled to retain them, and whether they lawfully made a debit to your account.
Thank you for your insightful messages, my account is for a mobile broadband bundle, I have been searching Tangerine’s customer accounts website and found that my Visa debit card has been stored and it has the card number and expiry date with no other information provided. I went right back to my first receipt which was headed hardware. This I assume was for a new modern because when I clicked on details it came up as no records found. No records found came up under details for the next 8 receipts. I looked at my bank transaction for Tangerine’s direct debit and it is listed as Eftpos debit from my bank account. I am still awaiting a further response to my last email from the Tangerine employee assigned to my case
It is one thing to provide card details for an initial or one-off payment, but another thing to provide an ongoing authority to debit an account, or make a credit card charge.
I have been tripped up by businesses before that sneakily obtained my acceptance for an ongoing debit or charge, when I had no intention of doing that.
If the business will not willingly delete the direct debit details and cease, then your bank has to if you request the authority to be cancelled.
I think a good solution would be a two step direct debit authority process for ongoing payments past an initial or one-off.
First step, you give your authorization to a business. As is the case now.
Second step, the new one, is that the bank or credit company who grants the DD authority to a business, sends one a communication for one to confirm. Clearly stating the details.
It could also be a good thing for direct debits to only be valid for a limited time, say two years. So the business would have to come back again to renew the DD. Which of course one could decline.
In this case it seems that the transaction was a Card debit, what is the most concerning part was that the email indicates that the card details were siphoned when the consumer made their initial payment to set up their account. The siphoning is contrary to their policy, which states they do not collect or store this information from the initial payment. It would seem that the staff member taking the details for the first payment then saved those details into their system for future purposes of taking money by debiting the card whenever the business wanted to process a payment that was due. How many people has this occurred to, and which is contrary to their policy?
That is only for website NBN setups done today, and not NBN setups by phone or other services… or potentially in the past.
It would be interesting to know if @GilesFairmont can remember if request for the mobile broadband bundle was done online or by phone. If it was done online or by phone, at the time was there any indication that details would not be collected and stored.
No it is for the initial payment, doesn’t matter if by phone, website, or otherwise. This is similar to my experience with ABB for the initial setup of our connection, I had to pay both the setup fee and the nbn(r) Greenfields charge, this I did over the phone, they do not and did not store the details. I then arranged a DD authority as part of the arrangement. These are two distinct steps, not one where they store my information for possible later payments.
As for Tangerine, their policy is similar, in that the policy is that they do not store the details of that initial payment. Only if a person agrees to future payments by card are the details to be provided and stored. A person has to agree to the storage. The initial payment, which included the modem cost, was made using the card (confirmed to me by @GilesFairmont in a private message). From the email which now appears to be more supportive of the facts i.e., the payment of $100 recently was a card debit not as most have understood it to be a direct debit using account and BSB; the email indicates that the card details were “detected” and stored from the initial payment made as Tangerine felt it would help clients who forget sometimes to make payments. As the dispute was raised, Tangerine then removed the details and stated that the reps were now being trained and some sanctioned over the policy breach. It is now clear that Tangerine did scrape the details in a manner contrary to their policy. Notably they have removed the non-direct debit fee even though the consumer is paying by BPay and has never paid by direct debit. This fee removal could be a way to compensate for the policy failure, the reason though is not made clear.
Whether online or by phone or by email, the policy is that they do not store the card details for the initial payment. What they have indicated is that they “detected” the card details and stored them. This is contrary to their policy, and the email advises they are now training some of their reps in regards to this and have sanctioned some. They then used your card details to remove $100 from your bank account. As I noted in one of our PMs, this is not what many term a direct debit, it is a card transaction. People do sign up to use their cards for future payments, you have indicated that you did not do so.
It does, their website states that for the current application process:
Due to payment compliance our website does not store your credit or debit card used to make the initial payment during signup
It is only website that applies.
Their policy can change overtime and since signup was some time ago, what the policy which applied at the time of setup needs to be determined.
Can you remember what it said through the application process and what details you provided? Did it ask for details to allow ongoing service payments?
The other question is if the transaction is shown as an EFTPOS debit transaction on your bank statement, it isn’t possible to use an EFTPOS card for online purchases or payment though a website. EFTPOS can only occur when the card is physically presented. Was this purchase for something else?
If a card was used online, the transaction on the statement would be shown as Visa, MasterCard, Amex or another card issuer. This means you either you signed up to Tangerine in person somewhere or paid by other methods if signup was done online.
You seem to suggest your Visa card details were captured but only the card number and expiry date. Tangerine wouldn’t be able to process payment without having the CVV. The CVV is an additional security measure needed for MOTO transactions (transactions not in person).
There are a few things which don’t seem to add up, and I am getting confused to what may have happened which allowed the direct debit of $100 to occur. There might have been too much ‘water under the bridge’ for you to remember when and how your financial details were given to Tangerine.
An interesting yet worrying point, something that would need to be considered when money goes missing from personal bank accounts but Tangerine confirmed that they did indeed deduct money from my bank account. I don’t know if Tangering would reimburse scammed money though I suspect they would not as I don’t think many companies would pay money as a result of a scam without being compelled to do so because who’s at fault, the bill issuer or the bank.
