Yatra.com comes up with really nice deals specific to some credit cards - Like now they have a YATRA10 coupon that ~4k off on any hotel booking. Especially some hotels in Chennai get around 60% off with this coupon currently. I don't know about the rest of the cities. This coupon code is supposed to work with just State Bank of India cards.
Try making any booking with a coupon code that you like to use, even if you don't have a card, with whose coupon it works. (like SBI in the above case). The system doesn't validate the card until just before you are redirected to the payment gateway for the final OTP of the payment.
So make the booking, and you get a message that your transaction failed just before the redirection to bank payment gateway happens.
So far so good. You tried paying with a card that should not be used with coupon code you used, so the system kicked you out marking the transaction as failed.
Here comes the actual part. There is something nasty with Yatra. They have a team of customer care executives dedicated to calling up customers who go till the last step of the booking and whose payment fails. If you are logged in, or had given your phone number in an earlier step of the booking you get a call from their customer service in 2 mins of the failed transaction. If you have any query or trouble with your reservation post purchase, you will have go through a long IVRS selection followed by 15 mins waiting on hold to speak to a human.
This is where it gets funny. Now this customer service team which is dedicated to “push-for-payment” kicks in. They call you proactively and will enquire about the failed payment. They would ask if you would like to attempt the payment again without having to fill all the travel / hotel details all over. If you choose to proceed, they will email you a direct link to payment, that has no validations in place, where you can just pay the amount, which was shown to earlier to complete the transaction.
The email looks like this:
When the link is opened, you will be asked for the email address and Reference number which you have received in your email from Yatra.
Give the details, and complete the transaction and boom! You now have the booking that Yatra promises to honour, at a heavily discounted price, at the cost of the advertiser, which is SBI in this case.
This is a glaring example of how disconnected teams without the know-how of how other teams/departments function could tear down a company, giving away discounts and offers. Imagine what would happen when SBI discovers that thousands of Yatra customers have been given large discounts, most of which came out of SBI’s pockets with literally no benefit to SBI.
Why do things like this happen?
Disconnected teams : The customer service team dedicated to pushing the customer for payments has no idea of how the card-specific discount coupons work.
Poor Technical Skills : Whoever got the idea that this validation for card should happen just before the redirection to payment gateway, and to log this order as a failed one just like any other transaction which failed due to incorrect card details or timeout or similar reason - is definitely a genius.
I don’t think this is a security issue that is worthy of being disclosed responsibly in private. No one’s data is being compromised. The primary problem here is that this Customer Service team which calls customers for payments in less than a minute’s time should have never existed in the first place when Yatra is not able to provide service to customers who have already paid, without having to make them wait for a long time.