[jasonlotito]

It's a good article. I'd like to add two other things you should consider when handling credit cards.

The first is 3DSecure (or VbV). They are the most secure ways to accept credit cards, though they aren't as easy for users to use. However, they do go a long way to protecting the merchant. If your handling b2b transactions that are high risk, you might consider enforcing this. Again, it's not a solution to wield lightly, but it is a solution.

Also, you can require out-of-band authentication. Generally, this is in the way of making a telephone call, and requiring the user to input a 4-digit pin. This, combined with everything else, will help hinder potential fraud. More importantly, it helps to protect against friendly fraud.

Of the two, telephone authentication is easiest to implement, but do not discount 3DS for higher priced purchases.

[AkThhhpppt]

Counterpoint: the only businesses that force VbV etc. I will deal with are airlines (because they all do), which meant the last time I flew transatlantic I took 800 euro out of my bank account and _walked_ to Air France's bank rather than use it. In _any_ other industry? They've just given my business to a competitor.

It is not in my interest to use a service _designed_ to lessen my protection from fraud.

(see http://www.lightbluetouchpaper.org/2010/01/26/how-online-car...)

[jasonlotito]

I know it's been a few days, but, just wanted to add that this is a good point, and a part of what I meant with not using VbV lightly. There are valid reasons to use it, but frankly, it should be close to the last thing you implement.

The only times I've used it where when offering a b2b product/service where fraud was a real fraud.

[erangalp]

The Minfraud service I mention in the article has an automatic phone verification system. You can use it when the risk score crosses a certain threshold