[joshmn]

Even lower-level, anything consumable by, well, anyone, quickly transforms from add-to-cart, checkout, and ship (whether digitally or physically), to add-to-cart, checkout, make sure they're actually the cardholder and legitimately authorizing the purchase, ship.

I have seen far too many places -- whether they're side projects, smb, or even enterprises -- completely miss the antifraud step. There are companies like MaxMind who <help identify and somewhat prevent this> but for someone who is above average-intelligence and an apt "carder", it's so trivial to get around.

When I'm tasked by x company -- a bank, company, security team, or someone with a side project -- to run through their site and try to get an order shipped using false credentials, I can't even speak to how easy it is for me to do so with trivial effort. And it's not all fun to see.

There is a company who does gift cards, and they'd ship them out instantly. Once redeemed by the other merchant, bam, they're SOL.

Don't be this company. Don't be this entrepreneur. Don't be this hacker. Reach out to someone who knows what they're doing. If your business relies on conducting transactions, I don't care if it's flowers or dog leashes, or some shit that's going to end up on Shark Tank, you need to have anti-fraud in place.

[tajen]

Sorry for my ignorance but what are possible anti-fraud rules for, say, a flower merchant?

[espadrine]

Depending on how often the merchant is bitten by fraud, they can require to see an ID card for certain types of transaction (such as cash or check), or raise prices to cover the fraud costs.

Generally, they try to ensure that the liability shift is on the bank's side, by using an EMV capable system for most payments. Of course, that usually requires them to have a specific contract; banks, on their side, perform a risk assessment to ensure that they won't be covering too much fraud.

[joshmn]

It's difficult but it comes down to loss-prevention.

I could setup a site with a front-facing flower shop, accept orders, take in the peoples $$ legitimately, and then transact and fulfill their orders (via fraud) on 1800flowers.com for example.

I realize that anyone could do this for anything, but the weaker your weak points are, the easier it is to capitalize on them.