Is this not fraudulent?

[slippysept]

Went out for a meal last week. Split the bill with a friend. Her credit card transaction got declined although we had left the restaurant in a hurry to catch our train so didn't know until I noticed they had charged me twice on my card to make up for hers being declined.

I had used contactless to pay for my share of the bill but mist certainly had not agreed for it to be used for her share.

There's no issue with me getting the money from her but can restaurants actually do this (their defence was that the table bill needed paying no matter what).

They've taken an unauthorised payment from your card. You're best ringing your bank to inform them

Criminal

While the retaining is permitted, the data can only be used for the reason agreed - in this case as a record of the payment made. If they want to use it for another purpose (taking another payment) they need permission from the person who the data belongs to.

In the case of taking payment for a damaged hotel room or to pay a room service bill, the card details would have been taken for that purpose. On check in, the customer would be told the reason the details are being held.

Of course it’s fraud. I would raise with your bank asap.

Assume you have confirmed with your friend that their payment did not go through?

Of course the restaurant are able to do this. It's not fraud and it's not criminal. The only criminal activity is leaving without paying your bill. I know in this instance it was an accident but why should the restaurant be out of pocket?

Make sure they check whether the payment has gone through before the customer leaves. They don't steal it from another customer.

Why did they let you leave before knowing the payment went through? Have you checked with your friend that their payment was declined?

But that is authorised when you give them the card details at the beginning of your stay. That doesn't apply when someone makes a one-off payment.

I used to be financial controller of a hotel chain about 10 years ago. We could retain cardholders' details except for the three digit CVV number, which PCI DSS compliance specifically says you can't keep. Or it did then, anyway.

It is not fraud as there is no dishonesty. They have just taken what was owed to them. I am sure they have breached some rule or other about processing the transaction without your authority though. Ultimately, if you can get the money back from your friend, and they have been paid the correct amount I don't see why this is an issue in this case?

@Lulubo1 that is no longer the case, and hasn't been for years. We use a card machine in our business and our merchant copy slips, now only hold a truncated version of the long card number, so it would be impossible to re input those details to take a second payment. It all sounds very odd, you know instantly if a card is declined so I struggle to see how OPs friend could have tapped her card and then left without awaiting the result , it takes seconds. Must have been one hell of a getaway.

As other pp have said, it isn't fraud as they have only taken payment for money which was owing them.

I work in hospitality and we always take payments after guests have left the hotel....if they have smoked in a room (it isn't allowed and is clearly stated on booking that there is a charge if they do) or if they have walked off with all the toiletries, gowns (and in one case, even the iron!) We report it to reception who then take another payment using the card details which are on the previous receipt.

In your case, you obviously both didn't realise that your friend's card had been declined and neither did they at the time, but they would have afterwards, so they took the owing money from the card details which worked. There is no problem with that; it would have only been a problem if they'd taken extra money which wasn't due to them or the cards debited for wrong amounts or whatever.

'I struggle to see how OPs friend could have tapped her card and then left without awaiting the result , it takes seconds. Must have been one hell of a getaway'.*
*
We were in a rush, assumed that it had gone through as there was nothing from the staff member to suggest it hadn't so we subsequently rushed off for our train.

There is no problem getting the money back from my friend so it's not like I'm out of pocket.

Neither would either of us dream of not paying for what we had eaten.

What I was concerned about was the ability of restaurants to do this.

To the PP who asked what the receipts they've sent me say. It's this:

Receipt 1:

'Merchant Copy'
Receipt number (same as Receipt 2)
Visa Debit no (same as Receipt 2)
'Keyed'
'Please debit my account'
My Half of amount owed
Time - 18:44
Authorisation Code (different from Receipt 2)

Receipt 2:

'Merchant Copy'
Receipt number (same as Receipt 1)
Visa Debit no (same as Receipt 1)
Contactless
No CVM used
Time: 18:40
Other half of amount owed
Authorisation Code (different from Receipt 1)

Specific purpose for data collection.

Storing and repurposing data are 2 different things. They can store the credit card data for a number of reasons eg as a financial record for annual accounts or in case of a tax audit. But its not a legitimate interest to use it for something which was not disclosed prior to the data being collected and for which the data subject's permission is required.

When you worked for the hotel part of the terms and conditions of the contract specified that the hotel would use the credit card to make good any damages caused by the occupier or their guests and to cover any items charged to the room within the duration of the booking. If guest stayed twice and used card A the first time and card B the second time the hotel do not have the right to charge card A for the second stay because one of the terms of the contract include a specific method of payment.

The OP had a contract once the meal was ordered, a debt after the meal was served, however the staff created a variation of contract by splitting the bill or creating 2 debtor accounts.

If the OP had left a cheque could the business cross out the value and double it? Photocopy the cheque to create a second cheque and demand payment from her bank? If they were still seated would the staff have taken cash out of her bag without asking?
Yes?
No?

Unfortunatly for the business (without a precondition*) once the OP paid 50% of the cost she cleared 100% of her liability, her debtor account was at zero and her friends remained at the unpaid amount. So any claim of using her data to pay a debt fails.

• the business can display a sign to warn credit card holders that any card presented can be to

How odd.. uploading post deleted my pre-post edits..

Edit1
But its not a legitimate interest to use it for something which was not disclosed prior to the data being collected and for which the data subject's permission is required,
and/or where the data subject would not have shared their data if they had known at the time what the data would subsequently be used for.

Edit2
the business can display a sign to warn credit card holders that any card presented to pay for a group meal can be to settle the full bill.

@Lizziekisss the companies normall asked that the merchant copy not show the details as dishonest staff were a risk and careless disposals of the slips have resulted in GDPR fines when the slips were found dumped by the general public.
Professional nosiness post the introduction of pin numbers, is the process now that individual transactions log with the credit card company or is the system running a periodic batch report?

Op Is the timing about right, that you left at 18:40 ?

From what I understand reciept 2 should not be listing CVM if a pin was used. If you have the original reciept issued to you can you check if the authorisation code matched reciept 2 as the authorisation should be the unique to a single transaction.

Is it possible that the terminal was not used correctly and both transactions were re-input?

This is interesting. I stupidly thought that when you tap that your details are not stored once the receipt prints. But they must be.

I would not be one bit happy about them double charging me without my consent.

The retailer has to store them somewhere as they need to have a detailed list of how much their credit card company will pay them.
In my time, (it may have changed) the retailer receive a similar statement to what the individual receives except that it is money due to them plus a list any fees or deductions which they owe the credit card company. The credit card company may also hold back a % to cover chargebacks or disputes which only come to light after the businesses internal dispute resolution fails to satisfy the customer.
They would usually have a list of disputed transactions where you as a customer go direct to the credit card company.
In a lot of cases the business not the credit card company usually end up carrying the loss when transactions are disputed. In this case if the OP is not fair she can succeed in having the 2nd charge cancelled.

Plus if you, as a customer, dispute a charge the retailer has to have some way of producing evidence of what the charge was for; so they have to be able to find an individual transaction from months prior.

In cash driven industries HMRC could also request that the business produce till receipts as they like to check the original source data as its is normally harder to fake sucessfully.

'Op Is the timing about right, that you left at 18:40 ?

From what I understand reciept 2 should not be listing CVM if a pin was used. If you have the original reciept issued to you can you check if the authorisation code matched reciept 2 as the authorisation should be the unique to a single transaction.

Is it possible that the terminal was not used correctly and both transactions were re-input?'

Yes, the timing's about right. My customer receipt matches the one which says 'No CWM Used/contactless' and is timed at 18:40. I didn't use a pin but rather the contactless facility. The Authorisation code is the same. However, I've noticed that on my receipt it says 'Re-Print. Merchant Copy'. I hadn't even noticed that before. Perhaps this is what all customer receipts say ...?

It is not fraud as there is no dishonesty. They have just taken what was owed to them

They took it from another customer - someone who had already paid.

The restaurant is at fault.
Fair enough you are happy to pay as it was a genuine mistake. I would report them under GDPR.

@SolasAnla My understanding is that PCI prohibits the storage of the PAN (long card number)after authorization of a transaction, anywhere, either with the merchant or merchant services provider. I am just a merchant not a card provider expert though.

Did you pay a deposit or give card details to open a tab or secure your booking? That would enable them to debit your card for the unpaid portion of the bill legitimately.

I've been to my local Tesco express before, tapped and walked out. When I went in next time they told me it hadn't gone through. It's not necessarily declined as in no money but they sometimes want extra verification. If you're in a rush it isn't always obvious.

They shouldn't have charged you twice though op.

@Lizziekisss thanks a lot has changed since my days some of the places still had the old inprint dockets for when the leci failed 😀. I presume that the transaction ID or the authorisation code is used to track queries? But there must be some way to store a card number as it links the transaction to the transaction.🤷🏼‍♀️