No, Citibank, TidBITS Does Not Sell Cryptocurrency
It has been one of those weeks where I was busy the entire time, but seemingly not all that much came of it. A good chunk of my week went to resolving a curious problem affecting a handful of TidBITS members. While the initial days of the problem were quite frustrating, the resolution was both gratifying and a testament to how wonderfully helpful TidBITS readers can be.
The first indication we had a problem came from our support wiz, Lauri Reinhardt. She was helping a TidBITS member whose renewal was declined by the bank. He had contacted Citibank, and the customer service rep said the transaction had failed because it was being put through as cryptocurrency. (This was patently ridiculous, especially given our public distrust of the entire field—see “Understand Cryptocurrency, but Don’t Invest in It,” 20 April 2022.) His protestations fell on deaf ears, so he wrote to Lauri. She looked through the Stripe transaction logs but could find no indication of anything related to cryptocurrency. But she did notice an uptick in subscription renewal failures.
When she reported this, our developer Eli looked also and discovered that most of the failed transactions had a transaction_not_allowed decline code, and all of those had come from Citibank. Simultaneously, I heard from one of my TidBITS Content Network subscribers about a failed renewal, and it turned out that he was using a Citibank credit card, too.
It was time to contact Stripe support. The problem might be affecting only 10 people so far this month, but it was just going to get worse, and not everyone can switch to another credit card from a different bank. At the time, I also thought it might be a more general Stripe problem, though that turned out not to be the case.
To make a long story shorter, Stripe’s email support, in the person of a guy named Tristan, was sympathetic but insistent that Stripe wasn’t doing anything wrong. During this time, more TidBITS members were having conversations with Citibank, all of which devolved to Citibank claiming that we were selling cryptocurrency, which Citibank and other credit card companies haven’t allowed for years. (I suspect this may be related to the volatility of cryptocurrency in various ways.) No one was able to get Citibank to back down and approve the transaction, with reader Brian Stone saying that he might as well have been talking to his neighbor’s dog.
I couldn’t find any way to call Citibank myself, not being a customer, so I kept asking Tristan to escalate. Eventually, I used Stripe’s support option to request a phone call and, amusingly, got a call a few minutes later from Tristan, who was on phone support that day but wasn’t expecting to talk to me. He had a strong Irish accent and was very nice, and while he continued to reiterate that he could find no indication that Stripe was doing anything wrong (which I agreed with), he did understand my point that only Stripe was in a position to resolve the problem. He promised to see if he could find someone else who could help. Next, I heard from Tony, and then from Charles, who held the party line in the face of my persistent requests to have someone at Stripe call Citibank. But when I mentioned that I’d be writing about my experience in TidBITS, Charles brought in Matt.
I don’t know if there was background communication that resulted in Matt helping me, but he was a longtime TidBITS reader who knew full well that TidBITS had nothing to do with cryptocurrency. He promised to look for contacts within Stripe who could call Citibank, but before that, he introduced something new to the discussion, the Merchant Category Code. He noted that changes to the MCC can sometimes cause problems like this, but since ours hadn’t changed recently, he didn’t think that was it.
“Hold on a moment!” I thought. I didn’t even know we had an MCC, but if ours wasn’t accurate, perhaps Citibank had changed something on their end such that they had started misidentifying our transactions. According to Matt, our MCCs had evolved through:
- Computer Software Stores (February 2018 to July 2018)
- Computer Programming (July 2018 to August 2018)
- Computers, Peripherals, and Software (August 2018 to October 2020)
- Computer Programming (October 2020 to present)
Those changes had all been made by Stripe algorithms, and none described what we do well. Noting that sometimes human intervention was necessary to get an accurate MCC, Matt provided me with a list of them. For TidBITS memberships, I chose “Miscellaneous Publishing and Printing” and (the next day, since I missed it the first time) “Digital Goods Media: Books, Movies, Music” for TidBITS Content Network. Matt changed those codes for me, after which retries of the payment requests worked instantly. Finally!
All’s well that ends well, and although I had to be pushier than I prefer, persistence paid off. By getting to a TidBITS reader in Stripe who was willing to share more of what happens behind the scenes, I finally found the key to solving the problem.
In fact, that’s the second time in the past month that a TidBITS reader has helped out. When I wrote about issues associated with Cloudflare’s Automatic Platform Optimization service in “LittleBITS: Website Changes for Speed and Security” (6 June 2022), a TidBITS reader named Jonas, who works on the tech side of Cloudflare, emailed me with some welcome advice. Thanks to both Matt and Jonas! As Eli drily noted afterward, one way to get great support is to spend 32 years building a loyal following. I like to think of it as good karma.
Oh, good grief. You were a lot more patient than I would have been.
As an aside, the MCC is an important item for some bonus categories with some credit cards, and (as far as I can tell) it’s almost impossible to learn it in advance. For example, I had a card that paid extra points when I charged “dining” to it. It turned out that a charge at The Crumpet Shop in Seattle, where I ate on-premises, returned a text category that looked like it qualified (I don’t recall what it was, but if someone asks, I’ll try to find it) but the 4-digit code indicated Bakery and so it didn’t qualify. I have yet to meet the customer-facing retail store employee who knows what the store’s MCC is.
Why does Citibank think that Computer Programming means Cryptocurrency? If the MCC changed in 2020 why did you start having problems now?
I think Brian was being very unfair to his neighbour’s dog, comparing it to IT/bank helplines!
TidBitsCoin cryptocurrency is nice branding and could create another revenue stream. (I’m kidding…who wants a negative revenue stream?). Lately, my mantra has been: Life is short, the day is long.
It sure seems to me that Stripe (and all other payment processors) should inform you and have you verify the MCC!!
Even though I was not personally affected by this problem, I greatly appreciate the work and time you put into this problem.
This is one reason I will continue to support TidBits!
We’ll, there was an article on the site about crypto and investing in crypto, but it was way too long to read. Just reject the transaction to be on the safe side. I mean, it’s not like they’re a customer. Or even a rich customer.
I wonder if crypto exchanges purposely use bad MCCs to get around the issue of buying and selling crypto with credit cards. They’ll claim they’re a programming site that sells computer books.
The automated categorization is definitely something to follow up on, but what if it was stupider?
What if… it was because there’s BIT in the name?
(Edit) FWIW I did see that the problem was resolved and the payments went through, but like Beatrix W. above, it seems very strange that “computer programming” would be taken to mean cryptocurrency to me.
There’s no way of knowing what the real reason is. Modern anti-fraud systems are complicated beyond the ability of even the sites own engineers to understand.
I’ve frequently has transactions blocked (by big-name companies like Dell, Paypal and Amazon), all without any explanation. And even after hours of calls to tech support and escalation all up the chain of command, nobody has ever been able to give a satisfactory explanation why.
In my case, the banks always say they never received a charge request, and therefore never denied anything. The merchant then says something like “something about your purchase set off a fraud alert”, but they are unable to tell me what it was. Apparently, Dell thinks it is suspicious that you might want to buy a computer from them.
When pressed, they usually end up providing an obvious BS argument. Most recently it was “your e-mail address doesn’t include your full name”. As if no honest person ever uses an e-mail address without his full name it it, and no fraudsters would ever create a bogus mailbox with my name at some popular free-mail site. And the fact that I had used that e-mail address in the past from that same merchant, didn’t matter at all.
Then they inevitably start making insane demands like asking me to send them notarized documents that prove my ID. The kind of documents that would be worth a small fortune to an identity thief, and which even the bank issuing my home’s mortgage didn’t ask for. At which point, I tell them to take a flying leap and usually never do business with them again.
Oh jeez, that in conjunction with the Computer Programming MCC is as good an explanation as anything else.
At least one of the TidBITS folks I talked with had that happen too.
A few decades ago, it wasn’t unusual for my credit card to stop working at inappropriate times because of fraud detection.
I was helping my son get setup in Houston for an internship. I was in Target getting him stuff he needed for his new apartment when my credit card stopped working. Then the hotel called me and told me the hold on my credit card was rejected.
I called my credit card company, and they explain there were a bunch of recent unexplained charges on my credit card. For example, there were these plane tickets from New York to Houston and all of these charges for Houston for a hotel and then a large purchase at Target.
I explained that it was me, and that I was helping my son settle in Houston. No problem they told me. They’ll call me at my home number. I can answer it and they’ll remove the lock from my credit card. I explained I wasn’t home, I was in Houston about 1500 miles away. Can my wife answer my phone. No it has to be me because it was my credit card. I explained I couldn’t even get home if I wanted to because I couldn’t buy a ticket for a return flight.
I frantically worked with my wife to forward our home phone to my cellphone, so my credit card company could call me and unlock my credit card. We finally got it to work. My credit card called me on my home phone, I answered on my cellphone, and my credit card was unlocked.
Unfortunately, I suddenly realized I couldn’t call my wife back to tell her how to stop forwarding the calls to my phone. We couldn’t get that done until I flew back home.
Financial institutions eh? They’re just not geared to resolve anomalies. I think their employees have the same training as politicians (well British ones at least). Never accept there’s a problem. Ignore all evidence. I think it’s called lamplighting.
On the issue of banks not allowing credit cards to be used to buy cryptocurrency. I don’t think it’s anything to do with volatility. Neither can you use them for gambling debts or any other cash-like transaction. For those you have to withdraw cash and use that—paying the issuing bank a handsome fee for the privilege, plus a hefty rate of interest starting from the moment of withdrawal. Otherwise you’d be using credit to buy cash. This is considered, probably with some justification, as a very slippery slope by central banks.
This is why I still call my credit card companies ahead of time when I’m flying internationally — though even that doesn’t always work.
(I genuinely had a conversation from France where they acknowledged that there was a note on my file that I was traveling to France but nonetheless there these suspicious charges from France)
This story made it into Apple News+, at least in the UK. Well done @ace for becoming an international journalist.
One big step up from being a publisher of a newsletter with an international audience.
Amazingly, this hasn’t been an issue for a long time. I haven’t called my credit card commoner when I travel.
However, they are amazingly quick. My son got off our train station and he got a call from hide credit card company. Did he just purchase a train ticket at the next station? He looked and realized his credit card was missing. Someone picked it up, got off at the next station and bought a $5 ticket to see if it worked. Somehow, the company felt it was suspicious purchase and immediately contacted my son.
I had never heard of the MCC before, but it could explain some of the mysterious categories that Quicken uses to describe companies that show up on my credit card charges. Why don’t they contact the companies they list and ask what their products are? Is that just too simple?
I’ve had the same experience, occasionally with Amazon. Once I made the mistake of attempting to update my email address right before I placed an order for a laptop. This act seemed to trigger their fraud alert system, and I’ve had trouble buying electronics using Amazon ever since. At other times, I’ve had charges refused when I was at a store or restaurant. In all of these, my credit union said that there was no charge for them to refuse, although on at least one occasion they were able to dig into the matter further and find the refused charge. (I’m sorry that I don’t remember any details, the most recent occasion was a few years back.)
It depends on the bank and the department.
I used to work credit card disputes for a large global bank (not Citi, but similar in size and scope). In disputes, we were given extensive training, to better help customers identify transactions (a huge number of supposed “fraudulent” charges reported by customers are actually cases where they just don’t recognize or remember the charge or the merchant for a variety of reasons). That training, btw, included MCCs, which when assigned automatically are determined by an inscrutable method that nobody understands.
The fraud department, otoh, seemed to be trained and staffed by drunken pelicans. We in Disputes hated having to send cases to Fraud because half the time they would come back to us for no valid reason. I had cases where we pulled the signature slip, the customer said flat-out, “That’s not my signature” (which automatically and immediately makes it a fraud case), and Fraud sent it back to disputes because “customer has purchased from similar merchants in the past”. (Not even same merchant, but other merchants with the same MCC.)
Generally speaking, if you want someone to actually try to figure out what happened and resolve your issue, your best bet is to talk to someone in Disputes rather than in Fraud. It’s not a sure thing—there are a lot of lazy reps in Disputes too—but dispute specialists are more likely to have been hired and trained to be problem solvers rather than automatons.
These insights are the best thing I’ve read all day.
And now I can’t get the image of drunken pelicans out of my head.
Don’t use Stripe, (yet) but found this link about MCC on the the Stripe support page. Would this have been helpful to find out what your MCC code was and to possibly change it manually?
Yeah, that was what Matt from Stripe pointed me to for the list. There are some remarkably specific ones there, like Detective Agencies and Wig & Toupee Stores. Others are wildly general.
That’s a very interesting article. One thing stood out to me:
If “Computer Software Stores” is the default they use when they can’t figure it out on their own, then it would be reasonable to assume that some banks will consider that MCC to be untrustworthy.
I wonder if the fact that TidBITS had that code for six months in 2018 might be significant.
Could be, though it would seem odd if Citibank would itself track the MCC changes over time. I can see why Stripe would do that, since we have an account with them, but I would think that Citi would be more likely to just handle transactions as they come in without trying to infer anything about particular merchants over time. But that’s speculation far beyond what I actually know about payment processing.
Several years back I had an encounter like that with Bank of America’s fraud department. I had been charged a few dollars by a parking lot in Atlanta, where I had not been in more than a decade, and it looked to me like someone had cloned my credit card and was testing if it was valid. The guy I spoke to said it was a “card present” transaction so it had to be valid, and got rather obnoxious when I told him I had not been in Atlanta. More like a pelican with a really bad hangover than a drunken pelican. I finally got that straightened out later, and have never had such a problem since then, but it’s the type of idiocy that customers remember a long time.
My wife works as the office manager for a synagogue. They had been using Wells Fargo for years. One day, she gets a message from Wells Fargo claiming they believe their business is fraudulent, and they would close down their checking account in a month. No explanation why. No appeal. I think they had been using Wells Fargo for about two decades ever since it bought the bank they were originally using.
They did open another account, and they were able to access all the money in their account, but the pain of switching your main checking account was still there. What’s even more interesting is that they had no trouble opening a new account. Banks have a special form they fill out to let other banks know of troublesome employees and customers. Usually, if a bank suspects you’re involved in fraud and closes your bank account down, you shouldn’t have an easy time finding another bank to use.
This apparently has been an issue for many customers. Wells Fargo telling long time customers that they detected fraud, and are shutting down the account.
It’s not a problem only in the US. A few years ago a colleague of mine had her account suddenly closed by HSBC, where she’d banked for 20 years, seemingly because she practises under her maiden name but uses her married name for everything else. She was furious, as well as greatly inconvenienced.
For April Fools this year I proposed TidCOIN, which would have been a TidBITS-backed cryptocurrency. Glad we didn’t run with that!
See, now, that’s incompetence in my view. The industry-standard definition of “credit/debit card fraud” is “unauthorized use”. If someone steals your card and uses it, that’s fraud. If your teenager “borrows” your card without your permission, that’s technically fraud (though few parents will actually have it prosecuted, it still would be handled by Fraud rather than Disputes if the cardholder wants the charges removed). “Card present” does not preclude fraudulent use.
Never mind that fact that if it’s not a secure transaction (such as chip-and-pin or NFC), “card present” is meaningless, because the banking system sees no functional difference between a magnetic swipe and hand-keying a card number. A swipe is just feeding a string of characters into the system. You can manually key the card info and still mark the transaction as “card present”.
“Card present” used to mean that a signature or PIN was requested, but once card issuers started allowing transactions without signatures, that could no longer be considered a given. Unless the transaction was cryptographically secured, the “card present” flag is unreliable and should not be used by the financial institution as evidence for or against fraudulent use.
Well there’s your problem. Wells Fargo is, IMO, a criminal syndicate pretending to be a bank. So nothing anyone complains about them surprises me anymore.
Cleaning up my Quicken accounts, I discovered that the MCC for paying for Turbotax which showed up on a credit card is “Taxes”, which Quicken lists in the same grouping as state and local taxes. It’s easy to see how someone relying on Quicken to feed information into TurboTax could find TurboTax trying to deduct this as a tax payment of some kind. It should be listed as something like Tax Services.