Payforit Sucks – Here’ s Why

Welcome

Welcome to Payforit Sucks. This site is dedicated to highlighting the security issues with the Payforit system implemented by all of the major UK mobile networks.

What is Payforit?

Payforit is a mobile payment scheme which was originally set up by the four “big” UK mobile network operators, EE, O2, Three and Vodafone. The Mobile Virtual Networks like GiffGaff, Virgin and Tesco are not directly involved but are consulted and share in the profits.

It allows subscribers to purchase goods and services, directly from their mobile phone. Purchases made through Payforit are charged depending on whether the subscriber is on a pre-paid (or “Pay as you go”) plan, or whether they are on a pay-monthly plan.

In the case of a subscriber on a pre-paid plan, the charge will be deducted from the subscriber’s credit or airtime. If the subscriber is on a pay-monthly plan, then the charge will be added to their monthly phone bill.

How does Payforit work?

Payforit provides the facilities to bill mobile users directly through their mobile phone. There are two common methods, single-click billing and Wi-Fi billing.(1)

Single-click billing works only when the subscriber is browsing via their mobile data, and cannot work if the subscriber is using Wi-Fi. With single-click billing, all the subscriber needs to do is simply to click or tap a button, and the charge is immediately made. The phone number is automatically detected over mobile data, which is used for the billing of premium-rate services.

With Wi-Fi billing, things become more complicated. It is not currently possible to detect a subscriber’s mobile phone number through a Wi-Fi connection (unless it’s a “personal hotspot”, or mobile broadband connection, in which single-click billing applies instead), so the Payforit system will request the phone number of the subscriber. The subscriber enters their phone number, and a text is sent to that number with a confirmation code. The confirmation code needs to be entered into the Payforit system, in order to authorise the charge.

Stop Payforit helping thieves

So what’s the problem?

Briefly, when browsing or using Apps on a 4G network, this ‘service’  is capable of passing your phone number to a rogue trader and then allowing them to take money directly out of your phone account. Many consumers are unaware that this can happen and are shocked when they become the victim of one of these scams.

Payforit can be abused by scammers, especially in the single-click scenario, mentioned above. The single-click billing method requires no “real” authorization, other than clicking a link or a button in a web page, whereas the Wi-Fi billing method requires the user to receive a text message, and enter information from that message into a website.

Scammers have found various ways of getting consumers to click on these links. A popular one is to create a pop up box. When you click the X to close the box, you are deemed to have signed up to a subscription costing up to £4.50 per week.

It is also very easy to simulate a user clicking or tapping a button using Javascript. Javascript is client-side (meaning that it runs on your device) code used widely on the internet to provide interactivity with websites. Payforit  can’t tell whether a user willingly clicked or tapped a button, or whether it was done with Javascript code, without the user’s consent. In both cases it will pass the consumer’s phone number to the website and allow them to make charges against it. (2)

Some recent scams have used Apps downloaded from Google Play which contain malicious code which performs a sign up on your behalf. It is impossible to tell from the permissions requested by the App that there is a problem, as all that is required to sign you up is internet access through a mobile network. (3)

Let’s be clear about this, Payforit in itself is not a scam, but it does aid and abet scams and over recent years has been proven to be insecure.

References

  1. Full rules of the Payforit scheme
  2. Adjudication from PSA showing use of Javascript exploits
  3. Article on rogue Apps in Google Play Store

 

Recent Nuyoo Complaints

 

SB7 Threatened Legal Action

I learnt today that SB7 Mobile have reported several of my tweets to Twitter as being illegal.

Hello:

We are writing to inform you that Twitter has received official correspondence regarding your Twitter account, @Payforit_Sucks.

The correspondence claims that the following Tweets are illegal:

https://twitter.com/Payforit_Sucks/status/1001810694164099077

https://twitter.com/Payforit_Sucks/status/1001886151228182528

https://twitter.com/Payforit_Sucks/status/1001887291378368514

https://twitter.com/Payforit_Sucks/status/1004075931277889536

https://twitter.com/Payforit_Sucks/status/1007288491015901185

https://twitter.com/Payforit_Sucks/status/1008430324613877760

https://twitter.com/Payforit_Sucks/status/1009167746813382657

Twitter has not taken any action on the reported content at this time. We are only writing to inform you of content posted to your account which has been mentioned in a complaint.

We may be obligated to take action regarding the content identified in the complaint in the future. Please let us know by replying to this email as soon as possible if you decide to voluntarily remove the content identified on your account.

If you believe we have contacted you in error, please let us know by replying to this email.

This notice is not legal advice. You may wish to consult legal counsel about this matter.

For more general information on legal requests, please refer to the following Help Center article: https://t.co/lrfaq.

Sincerely,

Twitter

I have now responded to Twitter, as follows:

Hi

Thank you for informing me about this complaint. I have reviewed the tweets in question and cannot see that they break any UK or EU laws. They do serve to highlight widespread legitimate complaints about the company (SB7 Mobile) which I assume made the complaint. This company has been seeking to stifle valid and justified criticism both on Twitter and on Trustpilot. It is the nature of a platform like Twitter that such criticism will be made, and the normal response is for the company to answer the criticism, not to try to get the criticism removed by claiming it is illegal. I would be interested to know the reasons supplied by the complainant for these tweets being illegal.

I therefore do not propose to voluntarily remove these tweets, or to desist from posting further tweets of a similar nature.

However, I have no wish to cause problems for Twitter or to be in any way unreasonable. I understand that you have to protect Twitter’s interests, and if, after review, you hold these tweets to be illegal I will voluntarily remove these and a number of similar tweets which have not yet been reported.

Best regards

Paul

SB7 Limited and Trustpilot

SB7 Limited (the company behind the Nuyoo ‘Payforit’ scam) are currently trying to get negative reviews removed by Trustpilot, for breaching Truspilot’s guidelines.
To be fair to Trustpilot, some of these reviews, posted by angry consumers in the heat of the moment did use bad language and terminology which might be hard to justify legally. I can understand consumers calling SB7 mobile thieves, but it is probably better to say that they took money without consent!

One reviewer whose review is reproduced below has repeatedly amended his review, to comply with Trustpilot’s guidelines, only to have it objected to again. This is now getting ridiculous.

The post, produced below, is a potentially valuable resource for consumers, which Trustpilot are now denying access to.

Whilst the accusation that a phone number was obtained ‘illicitly’ might be regarded as a serious accusation, it is substantiated by the fact that the company paid the full amount taken plus court fees in order to avoid having to defend their position in court. I can see little else in the review that justifies its removal. I certainly don’t see any ‘offensive remarks’. I invite Trustpilot to identify what the problem is, but am beginning to wonder how much they have been paid by SB7 Mobile to silence justified criticism.

An Update I hope this post helps someone regarding SB7.
I have suffered the shock of this company debiting my account to the tune of £300. I did manage to fix it though, here’s how.
Bit of history.
I first noticed this company had been debiting my bank account in March 2018, on closer inspection of my O2 invoices it became clear that this company had been debiting my account since 2016.
I had given my wife my old iPhone 4 after an upgrade to the then newer iPhone 7 sometime around 2015-16. My wife only wanted the phone for emergencies as she is a technophobe. I purchased her a simple sim with free text small amount data etc. she was very happy with it. Being a technophobe, I always advised my wife to simply delete any messages or text she didn’t recognize for security. I never felt the need to check my account with O2 as she rarely used it to phone many friends, it was only my phone I kept an eye on online. Until by chance I viewed my account for her number in March 2018. Ouch.
On viewing invoice history, it became apparent SB7 mobile Ltd had been debiting for texts sent to her number since 2016 @£4.50 per text? Sometimes 5 texts a month. Grrr. I was very angry.
The Fix (Tip: stay calm stay civil)
I composed a letter to this company demanding a refund for the monies debited from my account. I complained that they had obtained her mobile number illicitly and underhandedly.
I advised that if I had no reply within 7 days to my complaint I would pursue a claim through county courts. I had no reply from this company to the request sent.
I made a claim to the county court regarding this matter around 16th March 2018. On the 23rd March 2018, I received via post confirmation of my claim through the post from the County court.
The same day I also received the first answer from SB7 regarding my complaint with an offer of £180 as compensation without excepting responsibility. I refused stating that I had already started a court summons and that it was my intention to pursue full settlement of my account debits plus the expense of the court £325.27.
SB7 subsequently revised their offer to compensate for the full amount £325.27 to be paid via the post office message system. I agreed to this on the proviso that I would only close my claim with the courts on receipt of cash owed.
So, I now await the post office text message from SB7 mobile Ltd for a full refund.
Advice for you if you want to recover monies owed by unscrupulous companies.
Be polite but firm, state your complaint by e-mail, request a resolution, give 7 days’ notice. If you get no answer take out a court summons, you can do this online (£25).
Do a search google (for company info Directors etc) Glean a home address for a director or Directors and include this address within your county court claim.
Hope this info helps someone, if I can do it so can you!

in an ideal world I would we would all be checking our accounts regularly.
Unfortunately, most of us live in the real world where we are just trying to earn a living and get on with our daily lives. I, for example, have a joint account with my wife? There is no way I’m going to start challenging her for any expenses she makes? Lol
This isn’t about debiting large amounts of cash from individuals although this can happen as I have proved!
This is about understanding modern lifestyle and Volume? By these companies.
How they glean our phone numbers is irrelevant, but they have them? They have probably purchased them via a data exchange. Who knows.
I am betting nobody here with a complaint will bother to peruse a claim if it is of small amount let’s say £10 or even £20? Most people will text STOP to the relevant number and that will be that. A few of us will contact the company directly to complain and may receive compensation. But not many? These companies know that.
It’s the sheer volume of customers who have had this type of attack that matters? You can prove this searching google for company information and viewing the turnover? Unbelievable!
What’s needed is proper regulation by government and accountability by this type of company.
Update 22nd June 2018
I have today received an email from customer support at Trustpilot after a complaint from SB7 mobile regarding specific wording within my post. I have edited my post to comply with Trustpilot’s terms and conditions as requested.
Thank you Trustpilot your service is excellent I can’t praise you enough.
I can also advise that SB7 Mobile (or associated companies) Paid the debt in full after my complaint. Thank You.
Update
7th July 2018
Received another email from the Trustpilot compliance team advising my post contained offensive remarks?. Begining to see a trend here where these companies take offense at our postings and complain? they then raise a compliance issue in the hope Trustpilot remove the post?

I shall try to retrieve other reviews when they are posted and will repost them on here when they are removed from Trustpilot, so that readers can decide for themselves whether the removal was justified.

If your review is one of those that has been removed, please amend and resubmit it. Don’t use bad language and avoid calling the company thieves or crooks. Just state the facts and let them speak for themselves.

Bodyin8 scam June 2018

In June 2018 there have been a large number of reports about Bodyin8.

They operate through a Level 1 provider called Tap2Bill who are responsible for the 83463 shortcode which is associated with quite a few of these scams.

At the time of writing they are not showing on the PSA Number checker. However the customer service number given in the sign up text is 03300538661. This number appears to belong to a company to which Bodyin8 have contracted out their customer service.

The company behind Bodyin8 is Well Fitness Ltd (Company number 09994445). The registered address is : Onega House, 112 Main Road, Sidcup, Kent, United Kingdom, DA14 6NE.

I am not currently aware of any email address which can be used for Bodyin8, so it may be necessary to send correspondence by post to their registered address.

Advice if you’ve been affected by the Bodyin8 scam.

Unfortunately, the way that this works is that you have to contact Bodyin8 and get them to stop the subscription. You should also ask for a full refund of any money they have taken. You are entitled, under Section 45(3) of the Consumer Rights Act 2015 to insist that this refund is made back to the account from which it was taken. Under section 45(4) of the same act, any refund needs to be made within 14 days of it being offered and accepted.

If Bodyin8 do not co-operate or do not refund in full, you can then revert to your own network, and ask them to take action under the Mobile Operators Code Of Practice for the management and operation of PFI (Payforit).  O2, EE, Three and Vodafone also have their own procedures for handling ‘Payforit’  and these are linked on this page which gives more detailed advice on how to proceed if you are refused a full refund.

Ultimately if a full refund is refused I have evidence that these companies will pay out when faced with the possibility of a claim in the small claims court.  Legal action, through the small claims court, is likely to be the fastest and most successful approach to resolving a dispute with Bodyin8. They don’t dispute that they have taken your money. Ultimately they have to prove that you knowingly consented to the payments or make a full refund.

You should also complain to the Phone-paid Services Authority  (PSA) about the unauthorised charges. The regulator will not handle individual cases, but will take action if specific companies generate a disproportionate number of complaints. PSA have informed us that they are already investigating this company.

 

Sample reports of the Bodyin8 ‘Payforit’ scam

I hate these scams – what can I do to help?

What can I do to help?

So you’ve done all you can to sort out your own case, but feel a sense of burning injustice about the ease with which scam companies can help themselves to consumers money. What else can you do?

Reviews of Companies

These companies are supposedly ‘trusted partners’ of the mobile networks. A read of their reviews on Trustpilot and on Facebook will tell you that these companies are anything other than trustworthy. Adding to these negative reviews can help reinforce this impression. No need to write an essay (unless you want to), just a one star review and a comment that says they tried to took your money without consent.

Reviews of the Regulator

If the regulator has failed to properly investigate your case,  has come to a perverse decision or has just been generally obstrutive or unhelpful, you can add to their reviews on Facebook. The regulator seems to believe it is doing a good job. It plainly isn’t.

Formal Complaints about the Regulator

The regulator enjoys a rather too cosy relationship with many of the companies it is supposed to be regulating. You can’t complain just because you don’t like the outcome of their investigation. You can complain if you don’t believe they have investigated properly, or if after their investigation they come to a conclusion which couldn’t be justified on the basis of the evidence. If they have found that ‘on the balance of probabilities’ the service provider has done nothing wrong, then they are saying ‘on the balance of probablities’ you are a liar. Make them justify this view!

Details of the complaints mechanism are here. https://psauthority.org.uk/about-us/complaints-about-us

Complain to your MP

MP’s have so far not shown much interest in this issue, but if there are sufficient complaints they may do so.

Respond to Public Consultations

The regulator regularly consults on it’s priorities and to changes to its Code of Practice. It rarely gets any responses other than those from the ‘industry’. In December 2017 PSA launched a consultation on its priorities for the next financial year and I submitted a response. I believe that it is partly as a result of this response that the are now going to review the rules for subscription services.

It is likely that these changes will go out for public consultation. It would be good for them to receive a large number of public responses demanding radical reform, including making ‘Payforit’ opt-in rather that opt-out. I’ll put an outline response on the website when the consultation is announced.

Help with this website

Running payforitsucks.co.uk is time consuming. Picking up consumer complaints on the forums of the networks and on Twitter and providing responses pointing to relevant help is time consuming, and I have to take holidays sometimes. We could always use additional content on the site. I’m happy to provide access to the site to consumers who wish to contribute their own unique perspective on ‘Payforit’. Please help build public awareness of ‘Payforit’ scams, as this is the best tool we have to get reform.

Legal Action

Tom (mailto:tom@payforitsucks.co.uk ) is keen to see legal action taken to force a judicial review of the law governing ‘Payforit’. Aspects of ‘Payforit’ are clearly dubious, but challenging the legality in court is an expensive and complex process. Decisions made in the Small Claims court do not set a legal precedent, so it is necessary to go to a higher court, where, no doubt, the other side will field a team of skillful barristers to ensure that the current gravy train continues.

Legal Action

The reason payforit scams are so prevalent at the moment is that the regulations in place are much to weak.

 

Dishonest fraudsters will always be out there, but generally people only ever commit fraud or theft if they think they can get away with it. The answer to stop pay for it scams is so simple. Make it as difficult as possible for fraud to occur but still allow merchants (Level 2 providers) who do provide a valued service to continue to grow and expand their businesses.

 

The easiest way to achieve this objective is to make the Mobile Network Operators (MNOs) responsible for any fraudulent activity on a customers account, as long as the customer has not been negligent in any way. If this was implemented, as the industry grows and develops, the MNO’s would have ultimate responsibility to adapt their required security features to protect their customers, much like every other other payment mechanism for goods or services that exists today.

 

OFCOM acknowledges on their website that Rogue software can be embedded in such a way as to circumvent anyverifiable method of consumer consent to charges. MNOs claim that with payforit they are simply providing a service, in much the same way that they provide with phone calls or a text messages. MNOs would argue that it is the responsibility of the phone user and Level 2 providers to ensure that there are agreements in place for digital content purchased on a mobile phone, and that the agreements are consensual and legitimate. On the face of it this is not an unreasonable position to hold because MNO’s should not be held responsible for the text messages, phone calls and subsequent charges that their customers incur. After all, even if a phone is stolen, until the MNOs are notified of the stolen phone the MNO’s are legitimately providing a service in good faith. why should not liable for the calls or text any thief makes?

 

There is an important difference though, call and text billing security is generally reliable, it is very rarely the MNO’s responsibility if fraudulent calls or text messages occur on a customers bill. (There have been cases where MNOs have been notified of a theft of a phone and failed to act accordingly, but generally security is very good and it is rare the MNO is at fault.) However, imagine a hypothetical scenario whereby MNO’s security measures in place were so poor that they routinely allowed fraudulent cloning of their customers SIM card details through no fault of their customers. In this hypothetical situation, it would be the inherent weakness of the MNO security systems that facilitated this hypothetical fraud. Because it would have been the MNOs weak security they would have to compensate customers costs and it would be entirely unreasonable to expect the phone user to foot the bill.

 

Going back to the issue with payforit, when rogue software can be embedded in a mobile phone utilising “clickjacking” “iframing” “sticky pop ups”  and other nasty tricks, because the MNOs do not have any security features whatsoever before offering third parties access to their customers money, they are negligent. It has become unreasonable for the the MNO’s to offer such an inherently unpredictable service without providing any protection for their customers, the reason so many have been caught with payforit scams is not down to the customers negligence, it is the MNOs themselves who have been entirely negligent by not having security requirements.

 

Given it is the weakness of the system that fraudsters are exploiting, and that phone users are generally not being negligent this puts MNOs back squarely into the frame for ultimate responsibility, and they need to be held to account. My objective is a big court case to put this argument forward that forces the greedy MNO’s to refund ALL disputed purchases made on a mobile with no security requirement to be refunded without question.

 

OFCOM have given responsibility for regulating this shady industry to the Phone Paid Services Authority (PSA.) The PSA are funded by the MNOs, and have no powers to investigate individual cases and the system keeps penalising consumers and needs to change. I am not a lawyer, but I think individuals taking their own cases to the courts are unlikely to succeed for a number of reasons. Firstly any victories at the County Courts are not binding so each case will be looked at on a case by case basis and would be difficult to orchestrate a collective strategy. Secondly in my case the Level 2 Provider who scammed me had offered a refund and effectively accepted liability.

My personal opinion is that a Judicial Review against OFCOM or the PSA is the best way to move forward. A Judicial Review on the Grounds that the PSA Code of Practice or Communications Act 2003 are unlawful, because they wrongly absolve MNO’s of their collective responsibility, and provide no stipulation that MNOs are required to be able to refund back using the same method as was used to take payment.  This is a clear breach of s.45(4) of the Consumer Rights Act 2015

This will not be easy or cheap, and will require legal advice, Court Fees etc but I welcome any suggestions on crowdfunding, or pro-bono legal advice etc that can be offered to get this Court action started.

Scammers – Nuyoo

In May 2018 there have been a large number of complaints about Nuyoo fitness. This is a service operated by a company called SB7 Mobile, which has has previously been fined for breaking the PSA Code of practice. The previous adjudication can be seen here.

UPDATE: This scam is continuing in to August 2018. Here are a few recent complaints, which could be referred to in a letter before action to show that, in all likelihood, Nuyoo is a signing up consumers without consent,

They operate through a Level 1 provider called Tap2Bill who are responsible for the 83463 shortcode which is associated with quite a few of these scams.

It also seems that a large number of affected consumers are with the Three network, so I wonder whether there may be a network specific problem here.

Please leave a review of SB7 Mobile Ltd on Trustpilot. https://uk.trustpilot.com/review/sb7mobile.com

Advice if you’ve been affected by the Nuyoo scam.

Unfortunately, the way that this works is that you have to contact SB7 and get them to stop the subscription. You should also ask for a full refund of any money they have taken. You are entitled, under Section 45(3) of the Consumer Rights Act 2015 to insist that this refund is made back to the account from which it was taken. Under section 45(4) of the same act, any refund needs to be made within 14 days of it being offered and accepted.

If SB7do not co-operate or do not refund in full, you can then revert to your own network, and ask them to take action under the Mobile Operators Code Of Practice for the management and operation of PFI (Payforit).  O2, EE, Three and Vodafone also have their own procedures for handling ‘Payforit’  and these are linked on this page which gives more detailed advice on how to proceed if you are refused a full refund.

Ultimately if a full refund is refused I have evidence that these companies will pay out when faced with the possibility of a claim in the small claims court. Ultimately they have to prove that you knowingly consented to the payments or make a full refund.

You should also complain to the Phone-paid Services Authority about the unauthorised charges. The regulator will not handle individual cases, but will take action if specific companies generate a disproportionate number of complaints. SB7 have been the subject of a number of other recent complaints.

Sample reports of the Nuyoo ‘Payforit’ scam

On GiffGaff Forum

Nuyoo spam text
by aaronmc97 in Help & Support
‎12-04-2018 00:29
Hi, I’ve been hit with a spam message, said ive apparently joined “Nuyoo.co” and received a text telling me that I’ll pay £3 a week or I can text STOP to a number, I texted STOP and it wouldn’t go…
Show results in replies (3)

oscarmr has a question about Hello I am receiving …
by oscarmr in Help & Support
‎10-04-2018 20:32
…and I don’t even understand how it came to my phone. They are charging every time they send me a message at least 3 pounds. I have cancel premium calls and I am going to try to block the number with…
Show results in replies (5)

drpetermezes has a question about I recieved scam …
by drpetermezes in Help & Support
‎02-04-2018 22:21
I recieved the following text: FreeMsg: U have joined to get fit @ http://nuyoo.co for £3.00 a week. Ur first 24 hours are free. To cancel text stop to 83463. Help? 03300535869″ Please advise

spam text

by pharmaroxxx in Help & Support
‎24-03-2018 02:27
hi, i have received a text message from an online gym company (nuyoo.com) which wants to charge me £3 a week to recieve text messages from them. it says i have already signed up but i haven’t. what…
Hide results in replies

Been charged £3 for unknown text
by missbarron90 in Help & Support
‎12-01-2018 17:48
Hello i received a text message the other day from 3009007 the text said paid for it charge and it took £3 off my credit i have no idea what this is and have blocked the number has anyone else had…
Show results in replies (1)

 

 

O2 evidence to OfCom concerning the management of Payforit in 2012

This document was presented to Ofcom in 2012 as part of a review of ‘Payforit’

The full original document containing this is here: https://www.ofcom.org.uk/__data/assets/pdf_file/0019/46513/statement.pdf

Monitoring

Monitoring is undertaken by WMC, a specialist company contracted by O2 to monitor the Payforit service. They carry out their work on a daily basis.
When a violation is identified, it is classified as a red or yellow card offence details are applied and sent to Mike Round (Head of Interactive Messaging Products) weekly.

Enforcement

On receipt of the summary from WMC, Telefonica O2 sends a yellow or red card (as appropriate) to the relevant Level 1/Level 2 provider, who is then requested to make the necessary changes, so as to be in line with Telefonica’s audit standards and the PhonepayPlus Code of Practice.
The usual Red/Yellow card standards are applied as agreed by all networks in the past (Red for more serious consumer harming behaviour; yellow for less serious violations that have to be remedied within two working days)

Resolution of customer queries and complaints

O2 Prepay or contract customer contacts the relevant care agent.
Care agent undertakes security check on Prepay confirms data for Postpay and then looks up via Your Companion (online tool) to identify the shortcode and the services using that shortcode and the Level1/Level2 contact details.
On discussion with the consumer if they wish to call the Level1/Level 2 themselves the appropriate telephone number is given as displayed on the care form so that the consumer can call direct to query the charges.
If the consumer does not wish to call separately then the care agent would complete the relevant online form on behalf of the customer which is then automatically sent to the Telefonica O2 offshore team that deals with escalations. The consumer is kept up to date via SMS messages.
If the consumer does not get any satisfaction from calling the Level1/Level2 and calls back to us to resolve the issue we would then complete the online form and the details would be sent automatically to our offshore team to deal with.
The offshore team would then contact the appropriate Level 1 provider and request the call logs to confirm what issues the consumer has raised.
The offshore team then return these findings to the relevant care agent who initially dealt with the consumer query and they then contact the consumer to confirm the findings and apply credits if appropriate.

Vodafone evidence to Ofcom on Payforit Scheme Rules 2012

Submission to OfCom on the subject of the Management and Operation of the Payforit Scheme rules.

Introduction

In July 2011 OfCom issued a “Review of Premium Rate Services- An application of the analytical framework” and the Mobile Broadband Group led by Hamish MacLeod facilitated the MCP response to the review.
Following a meeting at OfCom offices on the 2nd November 2011 it was agreed by the MCP attendees to supply OfCom with a document outlining the current management and operation of the Payforit Scheme rules particular to each MCP.
This document is submitted by Vodafone UK to OfCom and should be viewed in conjunction with submissions from the other UK MCPs in support of the principal that the UK MCPs continue to self-regulate the Trusted Mobile Payment Framework and associated Scheme Rules known as ‘Payforit’.
Vodafone Background:
It is important that key elements of the context in which Payforit sits within Vodafone UK is outlined before detailing specific initiatives relating to its management.
1. Customer Focus: Vodafone UK holds to business principles that includes a requirement for each and every employee to place Vodafone UK’s customers’ satisfaction central to each proposition delivered and in support of this and requires aggregator partners to sign contracts that look to protect Vodafone UK’s customers’ best interests in terms of clear and fair pricing and simple methods of redress should the situation arise.
2. Partner Rationalisation: To ensure Vodafone UK only works with trustworthy partners, over the last two years it has been reducing the number of aggregator partners who are allowed to directly connect to the Vodafone UK network to provide content using MPay (Payforit), SMS,MMS or Voice/video services to Vodafone UK’s end customers.
The effect of this rationalisation is that those that remain are highly professional and diligent and effectively manage the risk that some of their end customers may pose to Vodafone UK’s customers
3. Proactive Partner Management: In September 2011 Vodafone UK launched an aggregator partner program. This looks to refine this attitude still further, a number of categories were defined and these are broadly based on products that they have with Vodafone UK, the volume of business transacted and Vodafone UK’s view of the way aggregator partners do business with it.
It is fully Vodafone UK’s intention to have Aggregator Partners categorised based on performance which will act as an incentive for aggregator partners to behave in a trustworthy and customer centric way.

Management and Operation of the Payforit Scheme rules within Vodafone UK.
Payforit Scheme Rules Summary:

• The Payforit Scheme Rules are designed to protect the Consumer and ensure the Merchants and their Payment Intermediaries deliver a great user experience to ensure satisfied customers return to the service.
• The Scheme Rules exist in parallel and are distinct from the other PRS services regulated by the PhonePay Plus 12th Code of Practice (CoP).
• In fast paced environment in which the aggregators and MCPs function, Payforit has adapted and will continue to adapt at a speed unlikely to be achieved by any formal regulation.
Vodafone UK initiatives and Processes to manage Payforit internally:

1. Contracts with Accredited Payment Intermediaries (APIs/Aggregators)

Each Aggregator Partner has signed contracts that stipulate compliance with English Law, Payforit Scheme rules, Vodafone PRS CoP, Vodafone 3rd Party Content Standards and other relevant Advertising CoP and PRS CoP.

2. Vodafone UK monitoring programme

• Vodafone UK’s Fraud, Risk & Security (FRS) teams actively monitor data/voice traffic to identify fraudulent patterns of activity. Product Managers (PM) are required to escalate, block traffic and/or withhold revenues to aggregator partners when requested.
• The Red/Yellow card alerts issued by MCPs are monitored and Vodafone UK would insist that the agreed alteration is carried through for use on the Vodafone network
• Close, effective working relationships with Phonepay Plus established and maintained in other areas of PRS enforcement are considered useful for intelligence on general fraud issues in the industry
• Vodafone UK conducts independent security access audits to ensure secure protocols are used by aggregator partners to access its Age Verification (AV) systems. AV is based on a contractual undertaking between Vodafone UK and the end customer. Customer Services log complaints and approach product managers to resolve issues as required.
• Product Managers conduct audits of aggregator partners and their adherence to Payforit Scheme Rules. Each aggregator partner is subject to spot audits and requests for information to support any investigation.

3. Vodafone UK enforcement process.

• Financial claw-backs. A system of claw-backs exists whereby credits, disputed revenues and costs incurred to Vodafone UK are removed from Out Payments in line with contractual terms.
• Red & Yellow Card System. Vodafone UK has signed up to the Red and Yellow Card scheme and takes the protection of our customers seriously. If Vodafone UK has issued a Red/Yellow card then the aggregator partner is obliged to rectify as specified All Red card issued are to be complied with by the aggregator partners Vodafone UK contracts with. In summary this means; Red card, comply immediately and/or remove the service from network immediately; the yellow card stipulates fix and/or respond within two days. Failure to remedy leads to a Red card. Vodafone UK has not issued any Red and Yellow cards in the last 12 months for 2 principle reasons;
i. Issues that are common to all MCPs tend to be reported quickly via the automated system that O2 has installed.
ii. As the number of Aggregator Partners has been drastically reduced and the BDM management ensures the dialogue between Vodafone UK and its Aggregator Partners manages conflict effectively.
• Aggregator partners that materially fail to comply with their Vodafone UK contract will be terminated and as Information Providers look for the ‘one-stop shop’ loss of access to a single network ensures ever increasing management of risk by Aggregator Partners. [Note: We are unlikely to terminate for minor breaches of contract]

4. Vodafone UK customer resolution process

1. Customer contact to query an item on the bill
2. Agent records the contact and description of enquiry
3. Using their training and a support script the agent identifies the shortcode and provides the merchant’s name and contact number and advises the customer in the first instance to approach the merchant for an explanation and/or refund.
4. If the customer returns to Vodafone UK dissatisfied with the outcome then the Vodafone customer services agent will take responsibility for remedying the situation and crediting the customer directly.
5. The customer care team keep a central log of complaints and issues to help resolve customer experience. If a merchant is flagged as a recurring problem then the product manager is informed and asked to investigate the cause of the customer dissatisfaction.
6. Credit is moved to the Out Payments team who clawback the credits and costs pertaining to the customer.

When the customer does not receive satisfaction, a Case History:

This was brought forward by PP+ on 10th November 2011 to ask what had been done to support this customer)
Mrs GM, 07786 xxx xxx
PP+ quote: “Samsung Galaxy receiving charges for KKO Mobile”. “I’ve had no texts, no nothing, I’ve been charged since May. any apps I get are free, I haven’t clicked on any adverts. I only found out after I checked my banking and noticed that my bill was £70 this month.”

Vodafone UK Outcome.

The customer was directly credited £210 by Vodafone UK on the 31.10.11 when the ‘due process’ had been followed to determine the validity of the claim. The customer logs show that she signed up online for a service on 31/03/11 and has had regular charges of £18 a month £4.50×4.
This case was resolved in a single day by the Vodafone UK Customer Care team in the normal process (with no prompting from external parties) and the customer was satisfied with the prompt resolution that Vodafone UK delivered for her.
This case was not escalated to the product manager as the issue was not deemed to contain fraud and would have been included in the weekly credit report.
Conclusion:
Vodafone UK believes it has the processes in place to fully support customers and the desire to see this sector of the market grow and it believes this can be done with the current self-regulatory frame work in place

EE procedures for ‘Payforit’ complaints as given to Ofcom in 2012

Monitoring

– Any queries/ complaints that come through from front line as an escalation point are investigated on a case by case basis and can result in red/ yellow cards being issued. Any API’s found to be consistently in breach are then taken action against which can again result in red/yellow cards being issued
– In a self-regulated environment, EE are happy to put in place a third party entity to monitor API behaviour to make sure that payment flows, merchant contact details, delivery of digital goods etc are all in compliance with the scheme rules.

Enforcement Process

– If an API has been found to be in breach of the scheme rules, there is a dedicated team that works on issuing a red or yellow card depending on the severity of the breach and the potential for consumer harm. In some cases, if a yellow card is issued and the problem has not been resolved within 48 hours, then a red card may be issued.
– As PhonepayPlus is aware, information on breaches is quickly shared with the rest of the operators for information purposes only. In a similar manner, we appreciate information shared to us by other operators. All red/yellow card decisions are made purely on an individual basis only.

Customer Resolution Process

– If a customer has a query on a Payforit charge which shows on their bill or is deducted from their Pay As You Go allowance and do not have the details of the third party, they would initially turn to their MCP customer service line (by dialling 150 from their handsets) . Our customer service call centre advisers on both T-Mobile and Orange are provided with and trained on systems that can identify Payforit transactions as well as the associated API (on Orange) and API/ merchant (on T-Mobile). Central support systems are also in place within the call centres for both T-Mobile and Orange, and any information the advisor may need on the Payforit service, how it works, who to contact etc is all detailed within these support systems.
– An example Orange Payforit support system for front line customer services:
– If a customer contacts the Orange or T-Mobile customer service call centres about a transaction they didn’t make via Payforit, our frontline agent for Orange would be able to identify the API that billed for the service and would then either pass the customer to the API by providing them with the API’s phone number/ email address or they may just refund the amount if it was a small amount. On T-Mobile, the merchant can be identified using the MT service ID that appears on the customer’s bill and the customer would then be passed to the merchant by means of providing them with a phone number/ email address or a refund may be issued if it is a small amount. The MT service id range on T-Mobile for Payforit is different to that of PSMS so both types of transaction can be identified from their service ids straight away. There is also a different bill description which states “Payforit charge” for Payforit and “Premium Text” for PSMS.
– If the customer does not get any satisfaction from calling the API or merchant and calls back to Everything Everywhere to resolve the issue, Everything Everywhere would then pursue the matter to resolution directly with the API or merchant.
– T-Mobile customers can now use an online tool (https://www.t-mobile.co.uk/pricing-data/sms-code-check/result/) where they can input either a Service ID from the bill (e.g 700030099) or a shortcode to obtain details of the third party. The above URL is also printed on the back of customer bills.
– Any query that cannot be resolved by front line customer service advisors are routed through an escalation process for which we have a designated team:
Orange – Issues are escalated by frontline agents using a tool called ‘Merlin’. These are then managed by a back office team in our Plymouth call centre who contact the API and resolve the issue on the customer’s behalf. If a refund is due then the team will apply this directly to the customer’s bill for contract customers, or provide airtime credit to if PAYG. The refund will be clawed back from the API. The back office team will also include the details of the issue in a report which is sent to the Operation Team on a weekly basis so that they have visibility of the escalations which they can then monitor and review (and where necessary issue warnings and red/yellow cards).
T-Mobile – Escalations are sent to the Operations Team via a follow-up email and these are then dealt with in the same way as Orange escalations above.