Cedar Point Charged My PayPal For Purchase I Didn't Make

WaterDummy said:

Yeah, very concerning that (real) payment information would be used in a test environment; let alone for that test to go to the production side. I am apprehensive to continue to use PayPal through them, but at the same time I don't see how it would be any different if I switched it over to another card when they're using actual accounts to "test."

My son is a coder and IT person, and told me this is not unusual for companies to use actual accounts as test subjects, but that they are suppose to anonymize the user data before doing it.

Perhaps it was someone new? Or maybe someone with lots of experience who got lax in their procedures? We will never know for sure.

Regardless, they shouldn't be using straight account information without changing anything up. Using generic account numbers or values would have prevented this mess.

I can tell a couple of people on this thread are most likely the same people that would probably argue and blame a cashier at a retail store for something being out of stock, something not ringing up as the right price, or their credit/debit card not going through (these are all not the cashiers fault!!). I experience this too much on a daily basis and it hurts to see the same principle on display in a online thread. #RetailStruggles

On different note, I'm glad this seems to have been resolved.

Nancilee said:
My son is a coder and IT person, and told me this is not unusual for companies to use actual accounts as test subjects, but that they are suppose to anonymize the user data before doing it.

Yeah, but that's not using actual accounts. And it's not just that... typically a production payment system uses tokenized account numbers, meaning the number that's stored "next to" your account data (name and such) is not an actual account number. Instead, it's a token that points to a completely different system, typically not reachable directly from the Internet, that says, "Give me the token, and I'll charge the account against the actual number." If you're using test data, none of the tokens should coincide with production accounts. Ever.

To me that says one of two things. This separation isn't a part of their architecture (doubtful, because it's PCI DSS basics for a company that fundamentally sells things), or they have connection configuration information in their build system, used mistakenly in the test environment. If that's the case, that's still bad news, because you should always isolate your test environment from production. For a public-facing system, they shouldn't even be on the same network. You also shouldn't have connection configuration information in your build system.

Jeff said:

And did I mention that if you use a credit card, these kinds of things get sorted out with no inconvenience or issues to you?

Every time I've ever had an issue with PayPal, they always rectified the situation for me. Additionally, I always switch my payment method to Credit Card. Aside from the additional security, I get miles. :-)