It's been years since the last time working on some shopping related web applications that I forgot the main angle behind the design of those applications is to make it as easy as possible for the customers to spend their money. The idea behind online shopping business is that it's so easy that as long as we have a credit card (or credit card numbers), we can order whatever we want.
So last time I went to Groupon to purchase a voucher for gift because of the convenience. Prior completing the payment, I was surprised that everything is already filled up. What I have to do to complete the payment is basically just to click the "Submit Order" button. And there is no explanation provided that "after clicking this button, your credit card will be charged". It just happened, my card was charged.
So convenient, right? Imagine if some day Groupon's database get hacked, what will happen? If really one day all those credit cards numbers were downloaded by someone else and he's using them to shop around, I wonder if Groupon is going to stand up and take the full responsibility to handle customers' claim to VISA to fully refund all the money drained by the hacker. If not, then at this time the customers are going to experience big time inconvenience, provided that they're using a credit card. If they're using debit VISA, then I wonder if Groupon is going to refund those money, because debit card has zero fraud protection and does not provide dispute resolution options.
The fact is that this kind of thing happens, and when it does, everything is already too late. For example this is what it will look like when 6 millions of CSDN's users credentials getting hacked and shared publicly on XunLei (a torrent clone of China). This event occurred just last month, and I was one of the members of CSDN. What happened is that since then my mail account (that I used to register on the website) has been always full of spams and I have to update every account that is using the same password (because it's a common knowledge that people tend to use the same password for everything).
Going back to my story about Groupon, I was upset for a few minutes and then daydreaming big time to sue the company. Of course it's not going to happen. They are big, I am just like a fly to them, chances are so small. But I still did some researches and asked around about it.
With the references given by some of StackExchange's member, I figured out that it's indeed illegal to store customer's CVV2 number.
The merchant must have confirmed that sensitive authentication data (i.e., the full contents of magnetic stripe, CVV2 and PIN data) is not stored, as defined in the PCI DSS.
So I wrote an email to VISA's AIS team to complain about that. What they replied is that they're unable to confirm if Groupon is storing customers' sensitive credit card information. The asterisk may not represent the actual CVV2 provided that the credit card information is also masked. If I have any concern about card security, I was supposed to contact the bank who was issuing the card (I assumed that they were trying to say that I may request the bank to just deactivate the card if I was really concerned about it).
But Amazon, Apple Store and PayPal also provide the same convenience, right? What makes it different between them and Groupon is that they explicitly explained it to us when we're going to enter the number, that it will be for future purchases as well. Groupon does not do that, I might have remembered it wrong, but I'm quite sure that there wasn't any explanation when I made the first purchase a few months before that.
To support my unreliable memory, additionally here's what we can see on Groupon's FAQ page. It is so beautiful and safe!
What make it worse is that Groupon is allowing you to connect your Groupon account with your Facebook account. People will commonly be being careless about Facebook account because it's just a social media. So what usually happen is that they will check the "remember me" button to keep their browser logged in to Facebook until there's one of the day when the browser's cookies are being cleaned up. Of course this is related to personal responsibility, but what I see here is that Groupon doesn't really care about their customers' security.
Maybe I'm just making this small thing such a big deal. But as a customer I never expect and wouldn't be thankful to have this kind of convenience, especially when it's related to the safety of a debit VISA card.