
Ask HN: dealing with credit card fraud while selling physical products online? - sdrinf
Dear HN,<p>A contract of mine is close to launch, doing e-commerce, (partially) selling physical goods. Since I will also be supporting the codebase during the first couple of months, I'm seriously investigating the possibility of fraud, and dealing with it. We're using PayPal website payments pro.<p>Two humble questions for a safer Internet:<p>-What crash-curse would you recommend in proactively going against this problem? Articles, papers, or anything, really, that is not a commercial offering would be nice.<p>-In the case of fraud, how long does it take for PayPal to detect, and cancel a given fund from our account? That is, after what time shall we safely assume, that the money will be actually ours? (shipping will be immediate -but this will affect inventory management)<p>Specifically not asking for: paypal bashing, alternative credit card processors, adding obstacle courses to our customers.<p>Specifically looking for: stories with data, statistical breakdown for merchandise-driven industry's general fraud rate, and articles to read :)
======
John212
I have dealt with fraud prevention for non-physical goods both with PayPal and
a merchant account. It's a small start-up, annual web orders of $1m, average
purchase price of $16.50.

We were hit pretty hard with fraud (when we first started, Aug/Sept 09) but we
now have it down around 0.5%.

I know you don't want a commercial offering but we had great success with
maxmind (<http://www.maxmind.com/app/ccfd_features>) it costs about $0.015 per
order.

Here is how we did it... We tested every order through maxmind and using the
fraud score we divided them in to three groups, low, medium and high risk.

* Low risk orders were fulfilled as normal. * Medium risk orders had to do an automated telephone verification (we used twillo for the calls, we mapped distances from area code to billing address and rejected voip numbers). * High risk orders required one of our support staff to call and confirm the order.

Recommended reading: <http://www.detectmalice.com/>

However, I don't think stolen cards will be your main issue. Unless you have
tracking numbers for all your shipped orders people are going to open claims
with PayPal. PayPal always favor buyer and you will find people abusing the
system. Be prepared for a lot of "Not as Described" claims because the item
didn't match the users expectations. This isn't a one off, this happens often.

~~~
sdrinf
Maxmind's offering was already within our radar, but your datapoint pretty
much nailed that investment.

Re: "Not as Described" -Given that our shipping solution offers package
tracking with numbers, and signed-for options, AND the user will be clearly
presented with an image, and a video of the goods; AND after first abuse, I
will explain these things to paypal's customer rep, will their abuse still be
considered legit?

Also, what if the item in question is only part of a service, and neither can
work without the other? Will that change the claim-percentage at all?

~~~
John212
Re: "Not as Described" - You will still get those customers that have buyers
remorse or just simply don't want to be charged for the item they received.
You will find the customer service reps that make the decision on these cases
spend a few minutes on each. Unless you have an awesome case the buyer will
win.

The fact that this item is part of a service should hugely reduce fraud.

In all honesty you should be fine. I would start out with some pretty solid
rules; only ship to the US, Canada & Western Europe, only ship to paypal
verified addresses and IP location should match the billing address (< 150
miles). Once you find your feet I'd start relaxing these rules and plug any
holes in the system if they appear.

If a paypal dispute arises, call the customer.

------
jacquesm
If you're selling physical goods make sure that the intended recipient and the
shipping information they give you are one and the same entity.

This makes it harder to ship presents and stuff like that but when shipping
goods the majority of the fraud is done by redirecting the goods to a 'drop'
and then making off with the loot.

Make sure you use a delivery method that asks for a signature of the
recipient, make 100% sure that they will honor your request to ID the
recipient and to make sure that the names match.

Don't leave more balance in your paypal account than you need.

You can't really say how long it will take paypal to detect fraud, that's more
up to you than up to them, if there is no fraud to detect you'll be fine, if
people start using stolen paypal accounts and/or cards to order your stuff the
ban hammer would come down without any warning whatsoever.

There is no hard knowledge out there what it takes for paypal to block your
account but typical merchant account checks include < 1% of total charges,
anything over that and you're suspect / liable to be axed.

I hope that helps.

Oh, and it's 'courses', not 'curses' (that goes for 'crash curse' too ;))

~~~
sdrinf
We're planning to use the shipping address returned from Paypal as-is (and not
querying from our side), mostly for stripping the funnel to it's bare minimum
-is that kosher?

Definitely signed-for. Other than Nigeria (which I'm quite keen on
blacklisting, as a whole), any particular countries which we should be careful
about?

~~~
jacquesm
> We're planning to use the shipping address returned from Paypal as-is (and
> not querying from our side), mostly for stripping the funnel to it's bare
> minimum -is that kosher?

Yes, it's kosher, but there are a number of checks you can't do like that
(such as doing geo verification of the IP, email verification).

Those go a long way in screening out fraudulent charges.

Presumably paypal has already done a bunch of that, but if the shipping
address paypal gives you does not match the geolocation of the IP and
residential information of the account holder (not always the same as the
shipping address!) within reason that would be a great reason _not_ to ship.

> any particular countries which we should be careful about?

Yes, but that's going to make me a lot of enemies here ;)

Until you have the fraud angle worked out and have ways to monitor and predict
risky transactions I would stick to the US initially, the roll out in Europe,
one country at a time, after that Japan, and I'd leave it like that for a long
time to come.

This is not because I do not like people from other countries (rather the
opposite), but because combating fraud is a percentage game and _one_
fraudulent transaction can eat up the profits of 10 or more good ones if
you're in to physical goods (depending on your margin of course), as well as
cause you to be banned, which is a risk not worth taking.

------
kingofspain
Already some good advice here, so I'll just add a couple we used to use at a
place I worked at that sold physical goods (of the kind that prove
surprisingly popular to fraudsters).

\- I don't think Paypal offers address verification other than under
'verified' accounts but it might be worth asking depending on which service
you are using.

\- We used to flag deliveries to "Suite XXX", "Apartment XXa" etc for further
investigation as in the UK these types of address are usually no more than PO
box services. Find out what kind of address the common mailbox services offer
and if it's fairly uncommon, do something similar.

\- Sounds a bit obvious, but large initial orders can also be a red flag. A
first time visitor ordering £1100 worth of stuff is going to warrant more
attention than a long-time customer.

\- Wherever possible try to indentify frauds yourselves. Payment providers
will just transfer the cost to you and law enforcment, in my experience,
couldn't care less (we were actually told they have an unofficial policy of
non-investigation for < £10,000). Basically, as I'm sure you understand, if
you get burned - you've lost it for good.

------
ashleyreddy
Step 1 assess the level of fraud for the given type of product your selling. I
ran and ecommerce site that sold over 100 Million dollars with of product in
its lifetime and had only 1 case of credit card fraud. If you still think its
a problem check out verified by visa. I know your using Paypal but you might
get some pointers there.

