[adunar]

We've been using Stripe to accept payments at http://telerivet.com for about 9 months now, and generally we have been very happy with their service.

One thing Stripe doesn't really mention up front is that it's actually your responsibility to make sure that your customers aren't using stolen credit cards. (I assume this is the same for other payment processors, not just Stripe.)

We received a few payments that seemed suspicious (probably stolen credit cards), which resulted in a couple of chargebacks ($15 fee each) that showed up 3 months later. Since refunding suspicious payments to avoid chargebacks still incurs Stripe's transaction fees, we ended up developing our own heuristics to require manual approval of suspicious payments before sending them to Stripe.

[saurik]

> (I assume this is the same for other payment processors, not just Stripe.)

AFAIK, this is correct for other systems that allow you to accept a credit card number directly; however, this is not true of all "payment processors": things other than credit cards often have more security that becomes the responsibility of the bank or customer; third-party payment networks also often take this on as "their problem" (as a specific example, Amazon Payments eats chargeback fines under the belief that they are handling fraud issues; PayPal, however, does not, although they do seem to be quite good at the fraud protection angle, so it matters less).

[jaddison]

Not to pry, but would you consider sharing the heuristics, even if at a general level, perhaps via a blog post? I think that many hacker peers would love to know what works for your team.

[adunar]

Here are some of the things Telerivet looks at to detect suspicious payments:

- Credit cards that fail the address, zip, or CVC check. Stripe tells you whether these checks fail, but will still process the payment anyway.

- Unusually large payments. For some reason we often see suspicious credit card payments of exactly $100. Maybe they're just testing if a stolen credit card works?

- Payments for very new customers, or for customers that aren't actively using our service yet. Our service has a free plan for testing, so most real customers don't pay immediately.

- Same credit card used on multiple accounts. We store Stripe's card fingerprint for each account so we can easily search our database for duplicates.

- Multiple payments in a short amount of time.

When someone tries to submit a payment, we create a "customer" record on Stripe and test their credit card first without charging it. If the customer looks suspicious, our servers send us an email and save a record for the pending charge in our database. Then we can investigate further and either process the charge on Stripe or delete it. If the customer is legitimate after all, we'll mark their account as trusted so any future payments will be processed automatically.

[Lukeas14]

What is your process for investigating further to prove the card is not stolen?

[adunar]

We can't really prove that the card isn't stolen. One of the frustrating things about the card-processing system is that there's no way for merchants to actually initiate a fraud check (where the bank calls the cardholder to verify a purchase), or even any way to warn the cardholder that their card may be stolen.

Our manual review process usually consists of looking at:

- When the customer first registers, we ask them an open-ended question, "How do you plan on using Telerivet?". Did they provide an answer that would indicate that they are a legitimate customer?

- Does the customer's verified email address look suspicious (e.g. a disposable email account, or something that seems randomly generated)? Actually now we automatically block accounts from known disposable email providers from registering for Telerivet in the first place, but that's a whole different story.

- Does the customer's name look suspicious (e.g. random letters/numbers)?

- Does the customer's use of our service so far look suspicious?

Potentially we may also follow up with the customer over email. People who seem suspicious typically don't respond.