[brandonb]

This article has great advice. I work on fraud detection, and a lot of companies start off by building basic checks like AVS, CVV, proxies, IP-billing location mismatch, etc. What usually happens afterward is that the fraudsters get more clever. For example, we've seen sites implement SMS verification, but then the fraudsters will set up Twilio phone numbers to fool it. The sites block IPs, but then fraudsters go through an internet cafe or proxy. Sites shut down one account, and the fraudsters rent a bot net and run scripts to create a thousand more. It's a cat and mouse game.

Companies where payments are central (e.g., PayPal, Square) end up building some combination of machine learning, investigation tools, a dedicated operations team to review/verify suspicious transactions, and custom logic to look at all sorts of signals correlated with fraud. Often they'll have dozens or hundreds of people working on this.

For everybody else, I'd echo Eran's advice to just outsource this. There are plenty of vendors out there. Here's one list: https://www.merchantriskcouncil.org/index.cfm?pageId=702

If anybody out there is dealing with fraud or chargebacks, my company (Sift Science) provides an API to do exactly the checks Eran's article suggests and a lot more. Even if our technology doesn't apply, I'm happy to just give advice and point people in the right direction. My e-mail is brandon@siftscience.com.