Friday, 17 May 2013

Misdeeds and security

We all know someone whose approach to security is a little bit different from our own. I think about the former colleague who locked an empty cupboard while leaving its contents strewn merrily around the room; I think about the office I used to work where an ear-splitting alarm went off every time someone opened the front door (so people used to leave it wide open most of the time, to avoid the noise).

And now I can add good old M&S to the list of entities whose approach to security is counterproductive and baffling. I recently ordered a pair of trousers from the website with a gift card. The gift card was a present from my in-laws. To use the card online, the serial number isn’t enough; you need to type in a PIN, which is hidden behind a scratch-off surface. The problem is that it’s almost impossible to scratch off the surface in a way that leaves the PIN intact. I’ve had this problem with every M&S gift card I’ve ever used, and it’s stressful. Because if you render it unusable trying to see the PIN, it’s your problem. M&S won’t take any responsibility for damaged cards.

Anyway, I arranged for in-store collection and ticked the box saying “Don't associate any credit cards with this payment”.  There was some blurb warning that if I ticked the box and my gift card was found wanting, there might be a delay with my order while they took my credit or debit card details. But I wasn't worried because I knew there were enough funds on the gift card.

The next thing that happened? They asked for my credit card details anyway. Why? Apparently I had triggered a security concern with my wildly out-of-character behaviour; I’d never ordered an item for in-store collection before, and I would have to enter my credit card details to prove I was me.

How wrong is this? Let me count the ways. For a start, if I walked into a physical store with the gift card, nobody would challenge my identity. Nobody would even ask about my identity. But because it’s a website, first they force me to register before I can buy anything, then they start keeping track of my buying behaviour. The “security” aspect of this breaks down if you expose it to the tiniest bit of sunlight: what exactly is the risk here? That someone has stolen my identity in order to log in to the Marks & Spencer website as me, buy a cheap pair of trousers in my size, order them to be delivered to a store near my house and pay with a gift card?

What stopped me abandoning the whole transaction? The sunk cost fallacy, I guess. I’d already spent time finding a nice item in the sale, going through the ordering process, trying to read the PIN on the gift card, etc. So I went ahead and supplied my credit card details. The transaction went through.

Then I got a confirmation email saying that there were two payment methods for the item. So my credit card had been charged after all? Or not?

I contacted M&S to complain. They don’t have the courtesy to supply you with a real email address; instead you have to fill in a hateful webform. So I don’t have a record of what I wrote. I just know that I mentioned:

  • the terrible design of the gift cards, where trying to use them online carries a high risk of damaging them so they can’t be used (and you won’t get the money back either).
  • my deep unhappiness at the fact that they required me to supply my credit card details to prove I was me. Because if they could use those details to verify my identity, that means they’ve been storing my credit card information without my consent.
  • the confusing email that didn’t make it clear how payment was eventually taken - I knew the text might have been boilerplate, but I have no way of differentiating "automatically generated boilerplate" from "stuff they're actually trying to tell me".
  • the confusing nature of the online purchase process. I begged them to do some user testing.
  • The fact that I was being forced to contact them through a webform at all, instead of being supplied with an email address.

I got a reply a few hours later that was quite impressive in its failure to address any of these concerns at all. Apparently my comments will be forwarded “to the e-commerce team for their consideration” but I didn’t get a response about any of the specific issues I raised, of which the biggest was my worry that they’ve been storing my credit card details without my knowledge or consent.

The person who replied obviously had sort-of-read my email because she confirmed that payment for the item would be taken from the gift card only, but it didn’t really address my comment about the lazy boilerplate text that said something different. She also advised me that I should have ticked the box saying “Don’t associate any credit cards with this payment”. Ah, that would be the box that I ticked, wouldn’t it?

And of course, I can’t follow up on this by replying to the email I received, because it was sent from a no-reply address (another sign that an organisation isn’t really willing to engage in dialogue). If I want to get in touch again, I have to do it through the webform or (as they suggest) through the even worse “Help” section of the website. This is their way of saying “Go away now, stop trying to tell us how we can improve things.” And this blog post, like most Restless Consumer blog posts, is my way of saying: “OK then – if you don’t want to hear it, at least I can warn other potential customers.”

I’ve always been a huge fan of the M&S brand. Have been for most of my adult life. That’s why I keep asking for M&S vouchers for Christmas and birthday presents. My experience today has really, really damaged how I feel about M&S.

Update: they emailed me to say my item was in-store. More stupid, misleading boilerplate text about how they'd taken payment from my card even though they hadn't.

No comments:

Post a Comment