

Ask HN: How does Basecamp accept CCs without billing address? - YonghoShin

Example: https://signup.37signals.com/basecamp/Premium/signup/new?source=basecamphq.com<p>I thought the customer ALWAYS had to give a billing address on top of their Credit Card to prevent fraud charges.<p>How does Basecamp charge with no address?
======
charliepark
It's not necessary. In fact, at some point I hope to write up a larger piece
on it.

The only two NECESSARY pieces of data are the CC number and the expiration
date. ZIP code drops some of the risk, and, accordingly, drops a fraction off
the percent you're charged by the processor.

On the web app we're about to launch, we only have the number and the
expiration date. I'm hoping to get my act together to do some A/B tests, but
we're going into it assuming that we'll do better with fewer fields to fill
out.

~~~
dangrossman
I could be wrong, but I don't think the expiration date is necessary either.
You have to send one to your gateway, but I don't think it's actually used for
anything. You can keep charging cards that expired and have been reissued with
the same number; I suspect if you send a valid card number with any future
expiration date, it's going to work too.

~~~
genieyclo
Yep, if I recall correctly, expiration dates are just there to get people to
get new cards for accounts because the magnetic strip on the plastic fades
after a number of years.

------
bdclimber14
It's definitely not required, but it gives you a much better case if someone
files a unauthorized chargeback. If you used AVS (Address Verification System)
or the CVV number, you can in a sense prove that the person who made the
purchase was the cardholder.

37Signals, and OrangeSlyce (my company) use Braintree which provides a VERY
innovate solution called "Transparent Redirect". It allows you to accept
credit cards directly on your site, with your domain, but the form posts
directly to Braintree, and transparently redirects back to your site so the
customer never leaves your domain. It's very cool stuff and I don't know of
any other merchants that offer this.

Most importantly, the CC data never even enters your environment.

------
dangrossman
AVS (Address Verification Service) only looks for matching street and zip in
the first place. Since you're allowed to send only a street or zip, I assume
that just verifying the zip as they're doing avoids paying a higher
transaction fee for not doing AVS at all.

Collecting a billing address or not doesn't do much to stem fraud when you're
not shipping anything physical. Unless you're going to have your customers
sign and mail/fax written authorization, you're going to have a hard time
disputing chargebacks regardless.

------
aquark
It would be interesting to see some data on fraud rates in different
industries.

It is easier to see the thief's risk/reward proposition when ordering a large
screen TV with a stolen card than then signing up for a $50\month service.
There as soon as you are discovered you loose access to the data that was the
whole point anyway.

------
ashitvora
They use <http://www.braintreepaymentsolutions.com/>.

Not sure how Brain Tree handles that thing.

------
percept
No card security code either? That's bound to nip you in the posterior at some
point (happened to me, though with tangible goods).

