My Apple Pay card is being charged multiple times in a “subscription” fraud. B of A cancelled my credit card and issued a new one. When that was added to wallet it was billed. Once scammer has access to Apple Pay which happened by using it online he has permanent access to charging any new card attached to Apple Pay. Apple Support solution was for me to contact scammers and ask them to stop. So now no easy payment with Apple Pay ever again.
It’s a subscription. A subscription is handled separately from a normal transaction involving a single payment.
Apple use a token representing your card. A normal token expires after the transaction is completed. If the transaction involves a subscription, a merchant token (subscription token) is used. The merchant token is used for each recurring payment.
Apple doesn’t control the token and can’t stop recurring payments. Banks sometimes call these Card on File (CoF) transactions because that’s how it’s done when tokens are used.
Merchant tokens are controlled by one of three entities, depending on the bank. The bank may control it, a Token Service Provider (TSP) or the Payment Network Operator (Visa, Mastercard, American Express etc.).
If you can’t stop the subscription, the fraud department in a bank should be able to revoke the token.
It’s a subscription. A subscription is handled separately from a normal transaction involving a single payment.
Apple use a token representing your card. A normal token expires after the transaction is completed. If the transaction involves a subscription, a merchant token (subscription token) is used. The merchant token is used for each recurring payment.
Apple doesn’t control the token and can’t stop recurring payments. Banks sometimes call these Card on File (CoF) transactions because that’s how it’s done when tokens are used.
Merchant tokens are controlled by one of three entities, depending on the bank. The bank may control it, a Token Service Provider (TSP) or the Payment Network Operator (Visa, Mastercard, American Express etc.).
If you can’t stop the subscription, the fraud department in a bank should be able to revoke the token.
It basically boils down to the MPAN (Merchant Primary Account Number) or as I like to call them subscription token, needs to be revoked.
Your point of contact is the bank. Their customer service team needs to understand the token belongs to them. It was created by possibly the bank itself, a Token Service Provider company, or the Payment Network Operator. Apple does not own the token and cannot revoke the token.
Only your bank can contact the TSP or PNO to revoke the token.
In the future customers will possibly be able to do that, but necessary framework is not complete and it could be months away. Banks aren’t willing to give up control that easily.
The scammer has no access to your Apple Pay. Your problem is with your bank that allowed the transactions and even gave them your new card details. The subscription is not being billed to Apple Pay and Apple is not involved at all. The transactions are now only between the merchant(scammer) and your bank. Your account would have been billed whether you had added your new card to your wallet or not. Hopefully with a better understanding on what happened, you now have more information to be able to find a solution with your bank.
wrj_ipad wrote:
I never used Apple Pay for a subscription before but have subscribed to various merchants on the iPhone. In each case there if a subscription needed to be renewed and I had changed cards the merchant had to contact me for new card info. If a token is used for Apple Pay subscriptions why, when card is changed, would the card company volunteer the new card info to merchants. It seems asinine.
Merchants enroll in the Credit Card Updater service offered by your PNO (Payment Network Operator such as VISA or Mastercard). In most cases that service is included in the Payment Processing fees that the merchant pays to process credit card transactions. If you had subscribed to a service that had to contact you to get your updated information, then it was either a one time charge for the service or the merchant was not enrolled.
The only purpose of Apple Pay is to send the merchant a token that your bank provided you, so they do not have your actual account numbers that could be exposed in a breach. The token is only good for the transactions between the merchant and your bank, so you have that security. Other than that, there is no difference in using Apple Pay and you giving the merchant your actual account numbers.
Read the information below for more information about the Credit Card Updaters. The article has nothing to do with Apple Pay, so you can see how merchants are able to get your new account details and is a service offered by your Credit Card and is not something that is done because you used Apple Pay. It is an article from Stripe that explains how the service is used from the merchants perspective.
https://stripe.com/resources/more/what-is-a-card-account-updater-what-businesses-need-to-know
No one suggests, you cantact scammers and ask them to quit. You were told to cancel the subscription, right?
Bank of America obviously doesn’t know or understand how Visa and Mastercard have Automatic Billing Updaters (ABU) that update the merchant with credit details the instant your card is updated. Did BoA bother to tell you about ABU’s?
https://developer.mastercard.com/product/automatic-billing-updater-abu/
https://developer.visa.com/capabilities/vau
Did your bank inform you about them and if not, why not?
Banks do not update the merchant with new information. The service is offered by the PNO. Some merchants pay an extra fee to PNO’s to participate in Auto Billing Updater services that I referred to in my first post. All the PNO’s offer the service. So, if it didn’t happen prior, those merchants did not pay for the ABU service.
If a subscription is started, the merchant puts all your payment details and necessary personal information on file. This exposes your information should the merchant be hacked. Tokenization offered by Apple Pay eliminates the threat of your information being stolen by hackers getting into merchant systems.
If you continue to be charged, only way that can happen is through a subscription. I can’t address what you did or did not purchase, just explain how what you’re experiencing happens.
I did call the scammers and asked to be unsubscribed. The rep said it was done and I would get confirmation email. The confirmation email said I had been resubscribed. There was a link to unsubscribe. I clicked it a window opened with keys Yes or No to cancel”. I clicked yes and after brief period “not working call support”. I believe this is set up to look legit but make it difficult to exit. It is a scam as who would subscribe to $25 a month when nothing is mentioned about what you are subscribing to.
This is confusing. The original charge was via Apple Pay. I thought the whole idea was to hide the card data from merchants and others. If the bank card data is given to the merchant what is point of Apple Pay? And if merchants are automatically given new card information even though old card was used fraudulently the fraud charges can just keep coming.
I never used Apple Pay for a subscription before but have subscribed to various merchants on the iPhone. In each case there if a subscription needed to be renewed and I had changed cards the merchant had to contact me for new card info. If a token is used for Apple Pay subscriptions why, when card is changed, would the card company volunteer the new card info to merchants. It seems asinine.
Wow, I never would have figured that out. Thanks.
Thank you very much for your generous time spent sharing a detailed explanation. Hopefully it will help others as it has helped me.
You’re welcome! Jim and I are always around to lend a helping hand. We hope you have a great day.
Apple Pay being charged multiple time in fraud.
