Travelers, be wary of ‘data passing’ online

By | June 27th, 2010

Kathy Agosta calls it a “blatant ambush of personal credit card information.” But it’s far from clear who was doing the ambushing.

Agosta, a fundraiser for a nonprofit organization in Ann Arbor, Mich., had just booked a flight from Detroit to Barcelona on Travelocity, when a “$20 cash back” offer flickered across her computer screen.

“It gave the impression that it was from Travelocity,” she remembered. “I’m usually wary of these types of pop-ups and don’t click on them. But this one looked halfway legit because of its general appearance and the fact that it included the travel confirmation information.”

Moments after she clicked on the offer, her credit card company phoned, asking her to verify a $20 charge on her credit card from a company called MemberWorks, she said. She declined it.

Had Agosta just experienced the fabled “data pass” that was the subject of a high-profile, year-long investigation by the Senate Commerce Committee? The same tactics that soon, thanks to legislation introduced by Sen. Jay Rockefeller (D-W.Va.), might be illegal?

No way, says Travelocity.

“We do not pass credit card data,” said spokesman Joel Frey. “We have never done so.”

“Data pass” refers to a shady practice of sending credit card information along to a third party at the end of a transaction without the buyer’s explicit approval. In years past, travelers often found themselves unwittingly enrolled in clubs that automatically charged a monthly enrollment fee while travel companies raked in millions in profits, according to investigators and consumers.

“The link on the confirmation pages will take a consumer to a landing page in which the consumer would be required to input her credit card information herself,” said Frey. “Furthermore, we do not promote MemberWorks via pop-up advertising.”

Related story:   My hotel promised a refund, but my travel agency refused

Frey believes — and a Senate investigator I interviewed agrees — that something else, perhaps a computer virus or malware, activated the pop-up ad that led to the transaction.

Vertrue Inc., the Norwalk, Conn.-based direct marketing services company that used to go by the name MemberWorks, has distanced itself from data passing. At the conclusion of the Senate investigation last November, it said that it would begin verifying offers by, at the minimum, obtaining from the consumer the last four digits of their payment account as further acknowledgement of an offer.

It also distanced itself from Agosta’s case. Maria Zanfini, a vice president and senior counsel for Vertrue, said that the company had no record of any enrollment by Agosta. In addition: “Our post-transaction offer on Travelocity has always been — always been — 16-digit credit card capture. So in order to enroll, a new customer would have to put in their credit card, full credit card number and expiration date.”

Last year’s Senate investigation concluded that millions of consumers had been sold club memberships by Affinion, Vertrue and Webloyalty that they didn’t want and were unaware they had purchased. The report noted that the companies together raked in more than $1 billion by partnering with hundreds of legitimate sites that were willing to share their customers’ billing information, including credit and debit card numbers.