My company uses Google Workspace for email, and we are happy to pay them for their services. A while back, our old payment card expired and they emailed us saying we have to add a new one. So I logged in and tried adding a new card (a VISA card that works everywhere else, even in other parts of Google), but it repeatedly failed with the error code OR-CCSEH-26 and the message “Your card’s issuer declined this request. Contact your bank or use a different payment method.” So I contacted my bank (the largest bank in Norway) and they said everything is fine and they have heard reports that Google sometimes rejects transactions for no good reason, but there’s nothing they can do about it - I have to resolve it with Google.<p>I contact Google Workspace support and after the usual introductory pleasantries they seem to understand that I have a legitimate issue that their specialist team needs to look more closely at. However, even though this appears to be strictly a backend issue (after all, they have contacted the card’s issuer), their procedures will not allow their agents to escalate this without receiving a HAR file from me by email, containing complete details about all requests pertaining to my attempt to update the payment card.<p>Importantly, such a HAR file would contain every single payload and header sent from my browser to Google’s servers, including my authentication token and full credit card details. I balk at this and explain that I am very reluctant to send such a sensitive file to anybody, using any transport, but particularly to some shared email address at Google. Oh, that’s not a problem, the agent says (but only after I resist sending them the raw HAR file), I can just use the HAR analyser in the Google Admin Toolbox to remove any sensitive information. However, it is unclear if this tool requires me to upload the file to Google first, or if it is strictly a client-side tool (on closer inspection, it looks like it may be local, which is good). It is also unclear if it completely removes stuff like credit card details, or just auth headers.<p>Regardless, there are several things that IMHO are wrong with this:<p><pre><code> - Why is it impossible to escalate a payment issue without a HAR file?
- Why do customers need to upload a HAR file to debug what is in all likelihood a backend issue?
- Why is Google, a champion of online security (unironically), asking customers to send files containing their login credentials and full credit card details, by email?
- I am a developer and could probably figure out how to clean a HAR file manually (even though it is 7MB of JSON), but do they really expect regular users to be able to do this?
</code></pre>
My issue has been ongoing for several weeks, with no solution in sight, and when asked point blank, their agent confirmed that there is nothing they can do without a HAR file. The last agent I spoke to even put me on hold while she double-checked with her supervisor that this was the case.<p>This is a bit of a rant, I know, but I also felt that the big-picture aspects of this might be worth discussing on HN. Is it really Google’s policy that they will not help a customer trying their best to give them their money, without said customer sending them a highly technical file containing extremely sensitive information? And if so, what does that say about their internal security culture?