Driver's license required for online purchases

Question

Problem

I tried to buy a few things from a particular industry, and the sellers are independently all asking for a copy of my driver's license to verify that it matches the details on the card because someone is telling them they need to do that. No secure portal, just some vague promises that it's for "verification", and they want me to send it via email. They say I am tripping their fraud protection software, or that their insurance company needs it, and that all the details need to match the ID. I am unfamiliar with this, and I have not had to do it in other transactions.

Rambling backstory

I've recently tried to place some pseudo-anonymous orders on the internet. I've done it before, and things went well. Use a VPN, use a prepaid gift card, make up a fake name, but use my real address. They made money, and I got stuff. Wins all around! Shipped directly to my door because it wasn't illegal or even shady. I live in a free state in the USA, and I'm currently trying to buy some legal parts for some legal things that I own. I stress the legal aspect because this is important, but leave the details out so people don't get sucked into a rabbit hole.

I prefer to keep things as anonymous as possible for a few reasons.

1. Protect my identity.
2. Limit exposure for the next data breech (you can't share what you don't know).
3. Don't want to be in a database, tracked, profiled, etc.

I was able to get some details about what flagged their system, including a specific company (SignifyD) in the mix, and I'm quite surprised at why they balk (It wasn't the gift card). Given the political attention given to this industry, and that Mastercard, Paypal, and Stripe have decided to jump on the moral bandwagon, I think the industry is being forced to comply with onerous rules that only provide security theater, for sociopolitical reasons, not technical reasons.

Details that seem to trip "the system"

• IP address used to place the order is a known VPN endpoint
• Distance between VPN endpoint and ship-to location is very large
• SignifyD does not recognize the email address across their network/database or email addresses

Questions

From what I can tell online, neither a MasterCard or Visa merchant should be able to decline a transaction because someone refused to give them ID. The articles I found that were old, but the VISA cardholder agreement still says that. However, it also says in a face to face transaction. I'm not that familiar with their rules though.

1. Can merchants require a copy of a photo ID?
2. What regulations and protections are in place so the consumer doesn't get their details leaked/hacked when nontechnical people are getting a copy of confidential docs?
3. Can an online merchant decline to process an order if you refuse to send you ID in plaintext to them, so that they can in turn send the details to a (usually unnamed) 3rd party for air quote "verification"?

Similarities / Not-duplicates

This question is very similar, but different enough that I feel it warrants a different question. Especially given that FROE (OP) seemed to be using their government name and details, whereas I am purposefully trying to obfuscate mine.

This question raises some of the privacy concerns to submitting your ID online, so I won't touch on them here.

Surprisingly, I didn't find many people complaining about this, but I did find this one:

https://forums.macrumors.com/threads/lacie-online-purchase-requires-photo-id.1646763/

Answer 1

I'll start with the TLDR; version of the answers to your explicit questions, and then give some breakdown beyond that.

1. A merchant may set any requirement they wish upon a transaction (as long as it doesn't violate some other law). They can ask for gov't issued photo ID, they can ask specifically for a RealID or Passport, they can even ask for a blood sample (gross, but allowable). Of course, you can also set a requirement for working with a merchant (just say no and go else where), so their demands should have some balance to them.
2. Now, here is the trick. Even if the credit card company isn't requiring it, the data they are asking for it Personally Identifiable Information (PII) and will be handled by a merchant that is doing credit card transactions. The credit card industry requires that all this information be protected as part of PCI/DSS (Payment Card Industry Data Security Standards) even if it wasn't collected for card processing. So once they have your license (PII) they have to protect it the same way they do credit card numbers and billing address.
3. See #1 -- a merchant can set any requirements they wish upon a transaction.

You can stop here and be ok, but I like more detail in my answers. So, now, for the more interesting tidbits.

First, on the security side. As someone who has worked quite a bit with online card acceptance I'll have to ask you to take my word for it: the detection system "trip points" you describe are all very valid and things I'd use in my own acceptance criteria. Knowing that a purchase is coming from a known VPN (anonomizer) endpoint is a big red flag; sure it could be someone just wanting privacy, but it could also be a hacker using the data they just stole from that next data breach. Followed up with the IP of the endpoint is physically distant from the shipping address (another common fraud indicator) and it looks just the same as someone stealing credit cards and drop-shipping goods to a pickup point. It isn't, it's just you; but the pattern the automated detection system sees doesn't know the difference, or you -- hence point 3. Having your email in their system means they've verified you before, they know that this is how you shop, and they are willing to accept that fact. You didn't fail because you weren't a known account, it was just that they couldn't give you the "yeah, I already know this guy" exception.

Now, on to the questions on the purchase itself. A transaction of purchase is a negotiated deal between two parties, the seller (merchant/store/whatever) and the buyer (you). To complete a transaction either you both have to agree to each other's terms, or one (or both) of you will need to modify expectations/terms to make the overall deal an agreeable one. As I mentioned above, a merchant may require a copy of my passport before they sell me something. That's fine. But I still have the option of saying "nope, I'll go over to Brownell's and just pay the extra $80 to not have to show that." Either of you can negotiate the terms of the deal, it is only a purchase when both sides agree and fulfill those terms.

Again, terms within the bounds of the law. Neither party may make any agreement term that directly contradicts the established edict of law: for example the merchant cannot make terms that discriminate based upon protected status (ie: the deal is no good if you are of a specific ethnicity

But this is a continuation for the merchant, they could literally be stuck in the middle. To examine that let's play a bit of make believe.

So, let's imagine that your local mom & pop toy store (Johnny Doe's) has been running in the same place for a few generations. They've got near-zero overhead, the building and land are paid for & they buy their stock up front; which in turn means that I can go shopping for something from my favorite Austrian or Belgian toy makers for about 18% less than I can get it anywhere else. I like shopping at JD's, it saves me a lot of money. And, about 12 years back they started taking "plastic" for payments, which means I don't have to go to the bank before buying one of the bigger toys...

Now, a couple of months ago JD's credit card processor (not Visa or MasterCard, not even the Merchant Bank that JD's uses, but the middle-man that handles the electronic connections of the credit/debit card scanner) decided that they didn't much like the kind of toys that JD's sold. The processor upped their fees for verifying card transactions from 2% to 6% to try and "discourage" the use of their service at JD's. Because of their contract, they can't dump JD's as a client, but they can change rates and requirements at will (and JD's signed up for that when they agreed to the contract). To keep their margins the same, JD's adjusted the price of the toys by adding a fee "for the convenience of using card payments" (or, to stay within the terms of the agreements with Visa/Master/etc, they actually upped all their prices and give discounts for cash customers). That's fine, in fact I'd expect it and I happily paid the higher rate because JD's whole shop was still cheaper than anyone else. The card processing company modified the terms of the agreement with JD, who in turn modified the terms they put onto any sale (everyone raised their prices).

But this can very easily continue. The card processor can now say "because we deem this class of product to posses a health and safety concern, we require that all transactions have additional supporting documentation to help verify that at-risk groups are not making the purchases" (aka: we need a photo ID for proof of age -- or address). This is the same thing that most stores do with superglue and spray paint, "oh, you want to buy this, first let me see your ID to prove you're old enough to be responsible with it." As a society we've grown accustomed to that and accept it; but you could just as easily tell the WalMart cashier "you know what I don't have it on me, just keep it and I'll go over to Ace where they make silly requirements." That is, you can decline the terms and not make the purchase.

In the case of JD's toy store, they were stuck in the middle. The card processor required something of them, and JD's didn't have enough leverage to negotiate a better deal (they're a small mom & pop, they have good volume for what they do, but not enough to change the mind of a company that keeps McDonald's and Target sized clients). So when I try to negotiate a better deal JD's is stuck, they can either eat the expense (and watch profitability disappear, the most likely desire of the card processor) or they can pivot the deal (we can't lower the price, but we can give you a discount for cash). In the end, old man JD himself still makes sure to keep a couple of boxes of consumables for my favorite Belgian toy on the shelf and I visit his shop regularly...

Answer 2

Can merchants require a copy of a photo ID?

Depends on the credit card and the nature/location of the transaction. Merchant agreements for Visa and Mastercard indicate they cannot require ID (for properly signed credit cards). "Store policy" may not necessarily adhere to the letter of the merchant agreements, but you will likely have to complain to Visa/MC as your typical employee isn't going to risk getting disciplined/terminated on your behalf.

The big thing to keep in mind though is that most credit cards aren't considered valid without a signature that is present and clear (for comparison purposes, not legibility). No signature or it is worn off? Then the merchant may be required by their agreement to make you sign the card and provide ID (possibly more than one - Discover for one requires two). From my experience, most of the time they will just check the ID and not require the card holder to sign the card.

Of course, applicable local, state or federal laws will supersede any sort of cardholder/merchant agreement. So in at least Texas, merchants can decline a transaction if you fail to produce ID when requested for any purchase. Additionally, the type of good you are purchasing often determines if you need to produce ID. Common examples would be alcohol, tobacco products, firearms or accessories, or any number of other controlled substances.

When it comes to online purchases, this muddies things even more as merchants may be required to adhere to laws in the location of their business and/or the location to which they are shipping the product. Often this means that online purchases often default to the policy that is safest for the business.

What regulations and protections are in place so the consumer doesn't get their details leaked/hacked when nontechnical people are getting a copy of confidential docs?

Again, depends....what credit card, where is the merchant, where is the customer and what is being purchased. A couple of examples:

• PCI DSS compliance may be required as part of the merchant agreement.
• HIPAA compliance is likely required for any health care purchases in the US (i.e. drugs, medical supplies, etc).

European privacy regulation/laws are almost always more strict than those found in the US.

Can an online merchant decline to process an order if you refuse to send you ID

Certainly. If the merchant is based in Texas, or depending on the credit card in use or the item being purchased.

send you ID in plaintext to them, so that they can in turn send the details to a (usually unnamed) 3rd party for air quote "verification"?

This is certainly where things get more suspect. I doubt there is any situation where they can require you to send it in "plaintext" without creating some sort of compliance or regulation violation.

However, any of a number of secure means exist for providing and passing along this information. You may be able to request one, but then in the situation you describe your ID wouldn't match the false name you provided.

Answer 3

Unsure in the US, but in France, when a client contests an online payment, the bank has to prove that the order of payment was validated by the client. A signed document is of course a proof, an order validated by the secret key of a credit card is accepted as a proof, even if disputed if the bank can know the secret. But knowledge of anything that is printed on the card is not.

So online payments are nothing more than a gentlemen's agreement between the merchant, the client and the bank. If all are honest, everything is fine: the client receives their goods and the merchant their money (an the bank is payed for the transaction). But if the client can contest, the bank has to give him his money back, and tries to get it back from the merchant. If he has blindly accepted a valid card with no effort to identify the real person that used it, he has committed an inexcusable fault and will lose his money.

Nothing except a handwritten signature or a smartcard certificate signature is a direct proof. But a bundle of consistent hints that Mr John Doe asked for the transaction can be. That is the reason why merchant sites do their best to identify their customers. And they think that if the IP is not hidden and located near the delivery address, if the name in the address, the credit card and the email are consistent, and if all those informations are already in their database because you have already have a transaction they are safe. But if all the informations are inconsistent, they are not. You can disagree with that rules, and just abort the transaction. But as they take the risk, they just want to limit it.

Alternatively you could suggest that they only send the goods about 1 or 2 months after receiving the payment. As fraudulous payments are generally detected in less than one month, they could trust that everything is fine. But in that case, you take the risk that a fraudulous organization just take the money and disappear...