[eqmvii]

If only there were a way to stop the surprise billing once it starts.

A friend created an AWS account with a new email address for a one-off side project, and wound up locked out of both the email account and the AWS account. But AWS has the credit card, so a 25 cent mystery charge appears every month.

AWS support is completely useless despite years of attempts at escalation, and of course the credit card company can't stop the automatic payments. The "solution" from both AWS and the credit card company is to... dispute the charge every month.

Forever.

[pan69]

I had a similar thing recently. As I understand it, AWS uses a digital token for your added a credit card. Contact your card provider to renew/rotate/delete the digital token that is attached to your card. That should stop charges.

Doing that obviously might impact other services for which you use that card so you might need to re-add your card to those services.

[shampine]

Generally tokenization is done by some vault or processor. I don't know how Amazon operates internally, due to their scale means it's probably all in house. But Visa does have token representations and they do also have visa account updater (which keeps visa/merchants in sync for saved instruments .. e.g. Netflix). I've never seen the token implemented, generally just some vault (Braintree, Spreedly, etc). And if you are typing in a 15/16 digit number it's likely being vaulted/tokenized but not by the issuer but by the merchant/processor.

[nijave]

Report the card as stolen so it's reissued with a new number :)

[e9]

I did that and next month new unapproved charge again. What happened is they auto updates stolen card with Postmates and then told me to contact Postmates but I don’t have account with them. I basically now have to cancel credit card every month. I’m just gonna have to figure out how to get new one.

[pan69]

This is because issuing a new card doesn't invalidate the digital token associated with your card. E.g. if you have something like Google Pay, issuing a new card, Google Pay will keep working even though your card details have changed. You need to contact your card provider and get them to delete/renew the digital token.

[heavyset_go]

It's an absurd solution, but they can cancel the card and get a new one, and that will stop AWS from being able to bill them.

[ProAm]

This is a good way to go to collections (at least in the US) and have your credit rating harmed. Probably not for .25c but everyone who says just to cancel a card to stop annoying bills is not a good answer.

[mindslight]

In general you have a point (eg don't try to "cancel" your gym membership by using a throwaway card), but as long as you have the right to cancel the contract and you notify the business of such (eg certified mail, in the worst case), then you're in the clear. It sounds like AWS support had already been notified, so revoking the payment channel is totally applicable in this scenario.

[heavyset_go]

I've done exactly what I suggested and I've never had a bill sent to collections. YMMV, of course.

[judge2020]

Maybe, however Visa has "account updater" which is an API so that companies with saved payment methods can update them to a new number once the old expires or is replaced. They might need to close their bank account if the bank participates in this.

https://developer.visa.com/capabilities/vau

[indymike]

This feature can be turned off.

[inkyoto]

It won't work if the service provider (e.g. AWS, GCP) has set up the card payment as a recurring payment. All payment networks allow for the «recurring payment» flag (or its direct equivalent) to set to «true» at the time the first payment is made, and the service provider will continue to automatically charge your card account until you explicitely cancel the payment / service contract (sometimes through having to engage the customer service). For example, a local government agency that charges me for the road toll use continues to charge my using a card number that expired in 2018.

It is important to understand the difference between the card number that is embossed/etched on the physical card (or the virtual card number) and the internal card account number. It ultimately boils down the financial institution that has issued the card, but the card account number may pop up on the monthly card statement or elsewhere, and it will be different from that of the issued card number. Many financial institution now hide the card account number from the card user, but it is usually there on the system (new fintech startups might do it differently, though).

Recurring payments are always set up against the card account number, and the card account will continue to get billed, even if the card account has been closed and the cardholder no longer has the business with the financial institution that issued the card – until such a payment is explicitely cancelled with the business. Virtual or one-off card numbers get declined for recurrent payments if the card number is fully decoupled from the cardholder's card account – the payment networks mandate the card issuer has such checks in place. For instance, even if the card number is shielded with a PayPal handle, PayPal will still diligently honour recurring payments and will bill the underlying card.

Most of the time, cards set up as with recurring payment flag on are convenient for the cardholder (card has been lost and reissued, card has expired and has been reissued etc) and for the service provider (fewer enquiries), but there is a sizeable number of businesses (even legit ones) out there that engage in shady practices that have burned or surprised more than one consumer with a nasty letter from collections 1+ year after cancelling a card product.

[ickyforce]

My card expired and now I'm getting every month a notice that my AWS account is going to be suspended. It's been 2 years...

[stephenhuey]

Stripe provides virtual cards so I use a separate one for each online service and can delete a card at a moment’s notice.

[laegooose]

That's a lot of worries about 3$ per year.

[Quikinterp]

I think it's the premise rather than the cost that matters. I'd be scared that $3 turns into $300 or something

[Ekaros]

Or everyone starts doing it. That will quickly add up. Just think of revenue they could get from millions of users for providing no service at all...