I tweeted about password being sent in clear text from Adyen (a payment service provider). They called me up and told me I could not be a customer since I tarnished their reputation.
I have been looking for a good payment service provider for a while now. My startup MakePlans has many small customers so a pay-as-you-go pricing model was a requiment in addition to good APIs. Basically I want to use Stripe but they are not yet available in Norway.
So I stumpled upon a provider called Adyen. Their API documentation is in a PDF, parts of which you have to ask for via email. They mainly use SOAP but also have a REST API. There are no libraries, few code examples and their GitHub account has very little activity. I should have seen the warning signs there. The typical non-developer way of doing what is in practice a IT-based implementation. The very reason why I have been waiting for Stripe and looking at Braintree (unfortuantely they introduced a €100/month requirement).
I talked to a contact person at Adyen who was very nice and was willing to decrease their usual requirements of 1000 transactstions per month to 100 for our clients who are small hairdressing salons and doctor offices (so new to e-commerce and will be doing small volumes). Their pricing was also very good (much cheaper than Stripe). So I decided to implement a simple prototype. The signup process for a test account is not a form on their website as you would expect but instead you have to give details via email. Ok so I did so. Then I received an automated email with username and password for the account in clear text in the email. Now if this was a dating site I would be dissapointed with such a practice. But for a payment provider who shall secure online payments and store credit card details it is a big warning sign with how they have secured their application when they send credentials via email. So what did I do? Well I tweeted about it off course.
Testing Adyen as a payment gateway and they send me password via email and cc to my contact person there. Great start!
— Espen Antonsen (@Espen_Antonsen) November 13, 2013
Then I received an email from my contact who wanted to have a chat about the Twitter conversation (I also was in contact with their support on Twitter and I assumed he was referring to that). During the call I was told that the management was not happy with my tweet and did not want customers to express their opinions on Twitter but instead contact them directly. My tweet was damaging to their reputation and they did not want me as a customer.
I assume there are old men from the finance industry involved in this decision but I also assumed even they were aware of the norm and power of social media these days. If customers, or potential customer in this case, are unhappy they will tell people on Twitter or Facebook. And to deny a customer because of expressing an opinion on Twitter? Perhaps these guys should move to North Korea and continue their business there? To top it off, in this case it was not some shit-throwing rambling but rather pointing out a practice that is considered unsecure by anyone who has knowledge about building secure web-applications (btw we just implemented two-factor authentication in MakePlans, perhaps that is something you should spend your time on instead of discussing ‘negative’ tweets Adyen). The email was also cc’ed to my contact person at Adyen who should not see my password. Nobody should.
As an added bonus here is a screenshot of their back-end administration. Hello 1999.