[tobiasSoftware]

Fun fact. Several years ago I started getting charges from NPM, which although I am a software developer I have never used. I cancelled my credit card multiple times, but they kept appearing each month.

I went to my bank, Bank of America, and they claimed that there was nothing they could do because NPM was using some sort of option they had to follow me when I got new credit cards. I don't know what kind of option that is, as every time I get a new credit card I have to update it with literally every other company. I also don't know how a bank wouldn't have some sort of manual override. Nevertheless, I called NPM, who said I had to talk with my bank. Eventually, after months of dealing with this loop, I threatened to leave my bank, and my bank advised me to call them and threaten to get the BBB involved if they didn't fix it, and a few days later NPM admitted it was an error on their end and reversed all of the charges.

To this day I wonder what kind of shady thing NPM was doing to not just charge someone who had never been a customer of theirs, but to follow them across cancelled credit cards.

[hunter2_]

Ok, I'll bite. There is no way a merchant can learn a new card number other than from the cardholder, or from a thief who got it from the card/cardholder. Not from any upstanding entity.

If you merely got a new expiration date, security code, etc. without also changing the card number, they could "follow" that by submitting a transaction without those extra pieces of information, at greater cost and risk to themselves, though.

I'll happily take downvotes if I'm wrong, for being assertive without a source.

Are you sure NPM was actually charging your card directly, and not a digital wallet or similar virtual card thing which you kept active?

[JohnFen]

Some banks have a service where if you use your card for ongoing regular payments and the card is replaced for any reason, the bank will allow those regular charges to continue on the new card when the service provider uses the old number.

It's very convenient if that's what you want -- it means you don't have to go to all of the ongoing services to update your card immediately. But it does mean that you can't count on changing a card to stop unwanted ongoing charges.

I recently replaced a card at my bank, and they offered this as an opt-in service (which I opted in to), but I hear that some banks make it opt-out, instead.

[hunter2_]

Ah. So in that case, NPM is not learning a new card number, and probably isn't even aware of anything at all, given that the card issuer is simply accepting transactions (instead of declining them as this person expected) on the old card number.

NPM was in the wrong for continuing to place unwanted transactions, but they were not actively participating in this "follow" scheme so the blame stops short of that.

[tzs]

No, they get the new number.

The way the update services is work is that you send them the card type, card number, and expiration date of a card you have on file, and they respond typically with one of these four responses:

1. Still good.

2. The account is closed.

3. The card is still good but has a new expiration date, which is YYMM.

4. The account has a new card. The card number is XXXXXXXXXXXXXXXX and the expiration date is YYMM.

[hunter2_]

Oh, ok. Still doesn't feel right blaming the merchant for utilizing #4 in exactly the intended manner.

The existence of #4 seems odd though. If someone just wanted different card perks they could do a "product change" which I believe retains the same number anyway, so a new number should only occur if the old number was reported stolen, in which case why provide the new number to the potential thief?

[tzs]

The update service is only available to merchants, and even then I believe there is extra vetting beyond simply being allowed to accept credit card payments. The intersection of that set and the set of credit card thieves is small.

For a typical user who has their card stolen it will go something like this. Fraudulent charges start appearing on their card, which is when they realize their card number has been stolen. The bank issues them a new card, makes sure the fraudulent charges get refunded, and invalidates the old card so the thieves won't be able to put new charges on it.

Without the updater service the user would have to deal with contacting every place they have subscriptions and update their on file card to avoid having their services disrupted.

With the updater service many or most of those will update automatically.

If the thieves used the card to buy some subscriptions, and those are from merchants who are able to use the update services, then those services may get the new number so the user might have to contact them to cancel.

For most people in that case though the number of subscriptions they legitimately have will be much less than the number of subscriptions that the credit card thieves purchased on the user's stolen card.

[piperswe]

According to Stripe,

"Stripe works with card networks and automatically attempts to update saved card details whenever a customer receives a new card (for example, replacing an expired card or one that was reported lost or stolen)."

https://stripe.com/docs/saving-cards#:~:text=Automatic%20car...).

[tobiasSoftware]

I was as shocked as you, and was absolutely infuriated over the bank telling me that they couldn't manually override whatever was going on. I can assure you it was a real thing that happened, and I did cancel my credit card and get a new number, if I remember I tried that at least twice.

I found the email from NPM when they fixed it, though in the email they still claim that my card details were stolen and it should be closed, ignoring that I had done that multiple times already. The email is below. Apparently there were 28 charges, so it must have been around 2 years that this was ongoing, I was dealing with some major issues at that time so I had to put it on the backburner for that time.

As far as digital wallets and virtual cards, I have none of those things. I may be a programmer, but I haven't gone techy with my finances, I just have a checking account and a credit card, and this charge kept appearing on my credit card across at least two card cancellations. Having said that, I have no idea what would happen if a fraudulent digital wallet or virtual card was set up that I was unaware of. The issue did start in 2015 though, so I'm not sure if those even existed back then.

Email from <Redacted>@npmjs.com: "We've completed the investigation into the charges we believe linked to your card ending in [Redacted]. We've refunded each individual charge for a total of $196 (28 refunds at $7/each). You should see those credited back to your account within a few business days.

We've canceled the subscription the charges were linked to, and removed the billing details. That said, we'd still encourage you to notify your bank that the card information was stolen and that the card should be closed.

Thanks for your patience while we worked through this on our end. I understand it wasn't ideal and even frustrating at times. I'm sorry for that.

Please let us know if there is anything else we can do for you. We’ll be here to help."