As others pointed out this is a rather standard flow handled by the account updater service[s]. What I would add is most of the time the merchant doesn't store your payment instrument data other than last 4 digits and an expiration date just so the card in your "digital wallet" can be identified in the UI - "Your Visa ending in ...1234" type deal.
Instead, they store a token provided to them by the payment processor which represents the card. That token stays the same even if your account info gets updated. So the only thing the merchant updates is the "metadata" of the payment instrument for end user's convenience. The actual heavy lifting associated with the update is handled on the payment processor side.
That said - from what I understand Amazon is a bit of an exception here and they actually store the full blown card info (other than CVV which is "illegal" to store) so they have to deal with the implications of account updates themselves.
There seems to be at least two levels of service with the updater services. I've only dealt with them from small merchants, and the available interface was a batch query/response interface.
We'd submit a file containing a batchof account numbers we wanted information on. This submission is by posting to a URL.
We could then poll a URL for status on that batch. When processing was complete the status changes, and an email would also sent to us. This could take two or three days.
We could then retrieve the results from a URL. They might be partial results, in which case we could keep polling that status to find out if more results were available. Some cards would never get a response.
Apple seems to have a fancier level of service from the card associations that gives access to some kind of push interface.
My bank sent me an offer to upgrade my card. This was the card that I use with Apple Pay. I accepted via online banking. Less than a minute later my phone beeped. It was a notification from Apple Pay that the new card had replaced the old card on my Apple Pay.
This is very common among almost all major eCommerce companies. Clickbait title, but the gist of this is to say, "Hey, we know you lose your card from time to time... and cards eventually expire (sometimes because of a security breach or other issue that you, the end-user, had nothing to do with). Rather than make you waste time going back through and updating every instance where you opted for the vendor / service provider to save your info, and risk you getting late fees or your electricity being turned off, let's just be smart and push updates to trusted stores that you have already opted to give your card to."
Sometimes I cancel a card, to revoke access to accounts I lost the password to.
When I cancel a card, that doesn't mean that certain people should predict their own capacity to use a new card.
Glad to know that the destruction and replacement of a card might not work. I will now reconsider my tactics for revocation.
Clearly, I need to destroy, uproot the account, migrate elsewhere across provider boundaries, and deny further awareness of cards that might possess the property of re-use.
Certain companies must only be aware of disposable numbers, since they seem to be frisky about what I'd elect for them to know.
As others have said, it is very common in ecommerce. There are strict rules around the updates. Your bank knows why the new card was added. If the reason was simple (i.e. renewing because of expiration) then they share the new card with Account Updater. However, if your card was lost or stolen Account Updater will notify the subscribers but will not share the new card number. This prevents chargebacks and other common billing problems.
Good timing on this post! I just got a new card and was baffled by how Netflix was able to update my account details before I was.
Maybe I should be creeped out? But damn if it isn't convenient. (Who else finds themselves uttering this phrase with increasing regularity these days?)
No kidding... Having to update a list of a dozen or more accounts to a different payment method when switching banks is hard. Doing that when your card expires, you will often miss one or two.
Comcast was doing this with my account, however after they upgraded their backend late last year they reverted back to the old card number and silently failed to bill my card. So good to be aware that it's not completely seamless.
> some people think letting CCs expire on accounts to get out of contracts is the way to go.
That's a terrible strategy. It doesn't free you of any actual liabilities if you're under a contract.
It's like saying that refusing to send a check to pay your electricity or post-paid phone bill is a way to "get out of a contract". The company will just send you to collections (most likely) or sue (if your debt is large enough).
[+] [-] ChemicalWarfare|9 years ago|reply
Instead, they store a token provided to them by the payment processor which represents the card. That token stays the same even if your account info gets updated. So the only thing the merchant updates is the "metadata" of the payment instrument for end user's convenience. The actual heavy lifting associated with the update is handled on the payment processor side.
That said - from what I understand Amazon is a bit of an exception here and they actually store the full blown card info (other than CVV which is "illegal" to store) so they have to deal with the implications of account updates themselves.
[+] [-] ifoundthetao|9 years ago|reply
I work for a payment gateway and I've written several Account Updater integrations.
[+] [-] phire|9 years ago|reply
"it turned out the last four digits and the expiry date matched the card on my Amazon account."
I checked, and Amazon does indeed only show you the last 4 digits and expiry date.
[+] [-] Artemis2|9 years ago|reply
Visa: https://usa.visa.com/dam/VCOM/download/merchants/visa-accoun...
Mastercard: http://www.mastercard.com/ca/wce/PDF/ABU_Fact_Sheet_2011_EN....
Amex: https://icm.aexp-static.com/Internet/NGMS/US_en/Images/Cardr...
To my knowledge, you can't opt out as a consumer.
[+] [-] tzs|9 years ago|reply
We'd submit a file containing a batchof account numbers we wanted information on. This submission is by posting to a URL.
We could then poll a URL for status on that batch. When processing was complete the status changes, and an email would also sent to us. This could take two or three days.
We could then retrieve the results from a URL. They might be partial results, in which case we could keep polling that status to find out if more results were available. Some cards would never get a response.
Apple seems to have a fancier level of service from the card associations that gives access to some kind of push interface.
My bank sent me an offer to upgrade my card. This was the card that I use with Apple Pay. I accepted via online banking. Less than a minute later my phone beeped. It was a notification from Apple Pay that the new card had replaced the old card on my Apple Pay.
[+] [-] dbg31415|9 years ago|reply
Nothing sinister going on here at all.
[+] [-] terminado|9 years ago|reply
When I cancel a card, that doesn't mean that certain people should predict their own capacity to use a new card.
Glad to know that the destruction and replacement of a card might not work. I will now reconsider my tactics for revocation.
Clearly, I need to destroy, uproot the account, migrate elsewhere across provider boundaries, and deny further awareness of cards that might possess the property of re-use.
Certain companies must only be aware of disposable numbers, since they seem to be frisky about what I'd elect for them to know.
[+] [-] blockloop|9 years ago|reply
[+] [-] laurencei|9 years ago|reply
https://stripe.com/blog/smarter-saved-cards
[+] [-] electric_sheep|9 years ago|reply
[+] [-] tracker1|9 years ago|reply
[+] [-] org3432|9 years ago|reply
[+] [-] _Codemonkeyism|9 years ago|reply
With this it seems this isn't a viable route (anymore?).
[+] [-] chimeracoder|9 years ago|reply
That's a terrible strategy. It doesn't free you of any actual liabilities if you're under a contract.
It's like saying that refusing to send a check to pay your electricity or post-paid phone bill is a way to "get out of a contract". The company will just send you to collections (most likely) or sue (if your debt is large enough).
[+] [-] ceejayoz|9 years ago|reply
[+] [-] StreamBright|9 years ago|reply
[+] [-] sugavaneshb|9 years ago|reply