This is pretty much why I think credit cards are unfairly one-sided, and is a big advantage to crypto-currencies like bitcoin. CC are as easy as possible for the consumer, but it's up to the business to guess if the consumer is authorized to use it, and there's no good way to be sure. Some people are going to be unfairly shafted. Oh and credit card networks can do things like shut off access to WikiLeaks if the US government asks them to. The system mostly works for most people in western countries - but it is very flawed.
MaxMind's minFraud[0] was the most popular last time I checked. You give them the credit card info, the IP of the user, their email etc[1] and $0.005 (per credit card transaction you want them to check) and they tell you the probability that it's fraud.
At my company we use Stripe as our payment processor, which has their own fraud detection called Radar. But still, a bit under .1% of our transactions are fraudulent.
Credit card fraud is honestly a great business, even if they know you're doing it, the police wont do anything, and the merchant has to cover the cost and pay $15 for the privilege of being defrauded.
isn't this the kind of service that will flag a legitimate user behind a VPN as a potential threat because his ip has been used in multiple transactions? Should a user switch off his VPN to do shopping?
If that VPN IP range is known to be used by fraudsters then yes, for good reasons. And if your VPN is affordable and "privacy oriented" there is a very good chance that a bunch of crooks are going to use it.
1c) Regardless of what happens next, send an order confirmation and play dead.
1d) If it fails any of the following steps, send a politely worded "issue with the order" e-mail and to contact you (after 24 hours). Use a reason that sounds generic rather than credit card specific.
2) Check GeoIP and compare against potentially geographic space. (this catches VPNs, etc. For instance, shipping to a US freight forwarder from a Russian IP is likely highly probably fraud. The customer can call/e-mail you if they get caught in this.)
3) Check address locations against known US freight forwarders / PO boxes / UPS Stores / etc. Force additional customer verification, like for IP addresses.
4) To validate repeat card usage, fingerprint cards that were successfully charged and you didn't receive a chargeback after the window closes:
If you have a brick and mortar business, probably nothing. If you are selling on the internet, and, probably put a step between you and an old school credit card processor that will do that checking for you, professionally. There's just way too much money in credit card fraud to have anything that even resembles good online protection as a small business.
Some fancy online card processors will do this for you automatically. Otherwise, there's companies that do this logic for you, and work across processors.
Ultimately, we should all get out of the business of transferring money by just entering credit card numbers, which are easy t copy. Many parts of the world are already moving to systems that require 2fa, and fraud rates drop like a rock. Good luck convincing US banks and online retailers to change everything to do this though.
Yeah, where I'm from (Belgium) 2fa is the industry standard by now, and fraud cases were reduced immensely when a previous employer of mine made the switch several years ago. But like you mentioned, this is not just up to devs in most cases...
Bit of a late reply but almost all companies use something called a digipass, you insert your card and input a challenge code and your pin.
https://i.imgur.com/10OChcv.jpg
Write risk algorithms that return false negatives to the suspected carders in your logic, before you proxy card data to the processor. If you don't, you will soon hit 1% chargeback threshold and your account will suffer.
FYI that's not enough. That may act as a form validation, but does not verify that the card is active and able to be used. Anyone can run the Luhn against a card # - but thieves have known CC numbers and want to verify they can be used. As a merchant you have to be somewhat on top of your orders and cancel any "suspicious" ones to prevent chargebacks.
Except they refuse to. So you see a constant stream of $0.01 to $0.03 donations. You have to manually refund every one of them out of your own PayPal balance or you get hit with a $25 chargeback fee.
