[noduerme]

Not to get into the weeds here, but were you actually funneling credit cards through your site to a card gateway like Verisign, as opposed to just hosting a Stripe form or something? I used to write shopping carts. To me it smells like disaster these days if any card transaction is hosted onsite in anyway whatsoever.

[jrockway]

We used Stripe. The problem was that our product was initially pre-pay, but we changed it to post-pay at some point. However, that's a different Stripe API (SetupIntents), and so you basically don't see the risk score until invoice charge time (instead of at card entry time). Thus people can use a lot of CPU before you notice that the card is stolen. (Stripe's risk stuff is great. I love how it shows how many other Stripe properties the card or user has been declined on. I wish things like Auth0 gave you this kind of data.)

Honestly the stolen credit cards were interesting, but overall not that big of a deal. We had free trials which were equally effective for crypto mining. Post-pay is always a drag. Lots of people that sign up with cards that have a spending limit well below what we claim the price is going to be. Other people issue chargebacks months later with excuses like "oh, I forgot I was using that" or "I didn't feel like I got the value for what you charged".

All in all it's an amusing business.