Why were vendors able to continue billing my credit card after it was changed?

At the beginning of September, somebody got a hold of my credit card info and made a few fraudulent purchases. I got a text about it from Chase, replied that I hadn’t authorized the charge, they called me, closed my account, and reopened it with a different number and sent me a new card.

I realized I had a bunch of service subscriptions which I pay for with automatic monthly credit card billing (Netflix, internet, cell phone, gym membership, Sirius XM car radio) for which I’d have to update the credit card on file. I haven’t gotten around to doing it until today. And upon logging into my Chase account, I see that several of these companies were able to bill my September payment even though they didn’t have my new credit card number. How were they able to do this?

That hasn’t been my experience. I received my new cc card early this year. Same number but different date. I had a preorder at Amazon declined. A couple subscriptions declined. I updated the date and 3 digit code. Fixed the issue.

I don’t bank with Chase. Maybe they notified your subscription providers? Seems unorthodox since there was criminal misuse of the card.

On some of the providers’ websites, I could see the last 4 digits of the card on file; it was still my old card, yet they successfully charged it.

Maybe they billed the September payment at the beginning of the month (before the change), not after?

Or the Chase system recognized those as regular charges and due to the fraud alert (rather than simply a new issue/activated card) on your account, was able to make an exception since those were recognized as bills that have been posting to your account for months if not years. Just a WAG though.

One of them (Dollar Shave Club) billed a payment as late as 9/26, a day after I got a voicemail from Sirius XM saying my credit card was no longer valid.

We had an account closed due to several attempted (and failed) fraudulent charges. Got a completely new number. I don’t think any regular charges went through on the old number, but charge-backs did work. They were automatically applied to the new number.

No idea. I also bank with Chase, and when I got a new debit card two weeks ago with the same card number (no fraud this time, just a card that wouldn’t swipe anymore), I missed a payment for school because their epay system couldn’t put it through with a different expiration date. It also wouldn’t go through for GrubHub or ipsy until I entered it as a new card and deleted the old one, even though the number was the same (and the old expiration date still valid, just changed with the new card).

That’s really weird. I’d call Chase and see what’s up. If it’s still working for vendors, there’s a chance that it could still work for a thief.

Why aren’t you on the phone talking to Chase?

It is weird, because it doesn’t work for all vendors. Like I said, Sirius XM called me saying it no longer worked.

I don’t know, I didn’t think it could be a sign of a problem. Maybe I’ll call them in the morning.

Of course it can be a sign of a problem. If (some) legitimate vendors can still get charges through, then (some) thieves still can, too.

My parents had the same issue trying to get away from some magazine scams. For some reason the CC company let the magazine keep charging them even when that was the reason for the new number in the first place. The CC company couldn’t really explain their reasons but took care of it. It just seems like a horrible hole in their security for not much gain.

Contact the vendors whose charges went through after the card was cancelled. Ask them for an invoice or receipt of the charge. Take these to your bank in person and ask how those charges could have gone through on the date that they did. Something is not even remotely right about this.

OK, I just got off the phone with Chase. After the by-now standard charade of a futile 15-minute back-and-forth with a non-native English speaker in the Philippines who couldn’t understand what I was talking about, I asked to speak with a supervisor. She said that even though the old number had been deactivated, because it’s still the same account, monthly recurring charges are able to continue for up to 90 days after the deactivation. She wasn’t able to explain how this works, but I was tired of being on the phone and given that I at least had reassurance from someone who understood my question that the old number has definitely been deactivated, I decided I was satisfied and hung up.

(Though as I write that, I wonder, does that mean the thief could have set up a monthly recurring charge and gotten 90 days out of it? Hmm.)

No. They won’t be flagged as recurring charges until they have posted at least three times. So unless you didn’t notice the card was being used fraudulently for three months the thief couldn’t set up recurring payments.

An unethical company practicing negative option billing can screw you hard, especially if you wanted the initial product for say 12 months but now can’t cancel it.

This is why it is a bad idea to have any regular payments charged to a credit card. Pay them manually by all means, but once you set up that standing order or direct debit, it can be quite hard to stop. I was told that the stop order had to come from the company taking the money.