[BangPypers] [X-post] Registrations are open

Dhananjay Nene dhananjay.nene at gmail.com
Thu Jun 6 09:50:14 CEST 2013


On Thu, Jun 6, 2013 at 10:56 AM, स्वक्ष <svaksha at gmail.com> wrote:
> On 6/5/13, Anand Chitipothu <anandology at gmail.com> wrote:
>> Here is the reply I got from doattend support.
>>
>> Thanks for using DoAttend to sell PyConIndia 2013. I guess for last year
>> also, you were using DoAttend. We are excited to partner with you again and
>> will make sure that you get the best support possible :-)
>>
>> Some online payments could become "Flagged" for manual risk verification at
>> our gateway. We have a standard process here to handle them. DoAttend would
>> have sent an email asking for billing address verification in such cases.
>> Please ask the buyers to reply to it. Within 48 hours, their tickets will
>> be delivered to their inbox.
>
> Fwiw, they sent the e-ticket last night without me replying to their mail.
>
>> We ask for billing address in our registration forms. Payment gateways
>> require us to send it to them to complete payments. We dont store that
>> information anywhere in our servers. Also if you can see, our registration
>> workflow is completely 'https' enabled. which means, its very secure to
>> enter information at DoAttend.
>
> Classic corporate-speak that conveniently side steps the uncomfortable
> questions I raised - If the payment gateway required that information
> their site UI form would have asked for it but EBS.in didnt ask for it
> - the information collection was on the DoAttend site. When payment
> gateway providers require your details for verification from the bank
> server, they will ask for it on THEIR site (think Paypal) and even the
> smallest difference in the details will cause the transaction to fail
> <-- Been there, done that.
>
> To cross-check, I asked my bank's relationship manager who clarified
> that rules prohibit them from sharing their customer/client data.
> Later, I asked another friend who works in the banking security
> industry who also corroborated what I had said in my earlier mails -
> my transaction would have definitely FAILED if they had access to the
> bank records for verification. It did NOT, so DoAttend has no right to
> take my money and then refuse to give me the ticket I just paid for.
> That is unethical and unprofessional.
>

There are quite a few alternative explanations which you have not
accounted for. For example I had stated that payment gateways can
charge differently based on the extent of verification requested. And
no banks do not share data with third party sites, but payment
gateways can send the data to an AVS
http://en.wikipedia.org/wiki/Address_Verification_System for
verification without the bank actually having to share private data.
There's a bunch of other stuff like regulatory requirements allowing
for certain leeway in selecting one out of multiple possible ways of
verification (eg. look at how different banks implement the same RBI
regulations for additional authentication differently - I had read
AmEx does address verification, know HDFC requires you to enter a
password or birthdate/email data, I think Citi handles it differently
based on a PIN (hearsay)).

I am not suggesting that the concerns you raise are inappropriate. I
am however suggesting that you are reaching conclusions that to me
sound only one of a universe of possibilities.

> Despite their corporate-speak, they are also aware that there is no
> way anyone can tell what they do with our personal information. Many
> companies claim not to sell this data but have you ever wondered how
> one is spammed each day by email and tele marketers?

Yes I have. But I also wonder if there were no additional verification
systems in place, how much easier it would be to commit card based
fraud. And of course then there is the big "R" word - regulatory
requirements (there's a ton of that stuff behind the scenes).

All I am saying is don't attribute to malice what could be explained
by a set of inconvenient choices someone made along the way. They
might just be perfectly justifiable.


More information about the BangPypers mailing list