

Ask HN: Dealing with fraud and liability? - polvi

Hello! We're a YC group (in the latest batch) building a tool that has potential for abuse. For example, a spammer might find our stuff helpful for running a mail server.<p>Anyway, is there anything we can do to protect ourselves from people signing up with fraudulent credit cards, racking up a bunch of hosting fees, and having the financial liability fall back on us? AWS must have this problem all the time, any idea how someone like them deals with it?
======
Tangurena
You've got 2 major risks here.

Your question indicates you're concerned about someone using a bogus card,
using your site, and then you're out the money/fees (this is indistinguishable
from a chargeback due to an unhappy customer). As far as I can tell, this is a
"cost of doing business" and other than some common sense rules (don't accept
business from Nigerians, East Europeans, or whoever is the "land of hackers"
this week - check the address and IP addresses - log everything), I don't
think anyone will be able to assist you (including law enforcement, who has a
hard time getting involved for less than 6-digits of losses). One of the
applications I'm responsible for accepts/processes credit cards, and we have 0
chargebacks, but that's mainly because this application is a add-on for a
desktop application that costs several hundred dollars.

The other one you didn't seem to address is PCI-DSS compliance. If you store
the credit card number in any place (including log files), you (and your
customers) could be in for a world of hurt if you're hacked (like TJ Maxx
did). <https://www.pcisecuritystandards.org/index.shtml> (see chart on page 4
of the spec, and the checklists at the end may be helpful as well).

