Don't implement the payment processing code yourself. (And using Stripe is _still_ implementing it yourself - they supply only one part of the process.)
Writing this code will take time that you are not using to develop and market your product. (cf opportunity cost). Your code will be buggy. Your code will be weak. Your code will not support the various alternative payment options popular in, say, Holland. (Yes, this is a thing, and it is called iDEAL.) Your code will sooner or later be exposed to a campaign of fraudulent transactions.
Use FastSpring, or your alternative of choice. Yes, it costs more, if you don't put value on your weeks of time to create and support an alternative, and if are comfortable having a weak fraud detection, if any.
When your business becomes successful, when the fees to FastSpring start to dwarf the costs of implementing a payment system yourself, then - perhaps - consider re-doing it yourself.
There are indeed weaknesses in using FastSpring, which after seven years are becoming a pain for me. I'll be writing about that soon. But this is not an issue for a one-person endeavor getting started.
I'll keep trying to avoid using a creditcard as much as possible and use other payment methods when I can, both online and offline.
And yes, when implementing payments on a website, use a service that does all of the complex things for you, and never store sensitive data yourself.
- The vast majority (probably 95%+) of cards have rewards built in. Everything from miles to redeem on travel and accommodations to the most common being cash back credited against your account. These can range anywhere from 1% to 5% outside of special promotions where you typically get even more.
- They offer increased consumer protection in the form of warranties on items you buy in addition to the manufacturer's warranty.
- They offer increased consumer protection in the handling of charge backs, fraud prevention and being able to easily dispute charges (typically online).
- Of course if a card is stolen the number is invalidated and the physical card replaced - I don't know where you got the idea that this doesn't happen.
- None of this is at direct cost to the customer - assuming you pay off your statement balance prior to the due date, you are not charged interest and unless you have a card with an annual fee (most do not and if you have even decent credit it's trivial to upgrade to a card without one) all these features are free.
Then who do you think is paying for those rewards/cashbacks? Who is paying for the extra warranty? Who is paying for the costs of the chargebacks and the replacement of cards that get stolen by the millions?
The answer could be you, creditcard users who dont pay off in time, or people who use other payment methods. It certainly isn't the banks or the merchant who's paying all this.
But it does nothing for a business like Candy Japan which sells to a global audience. The advantage of credit cards is that they are one payment system that works pretty much everywhere, worldwide.
Also, you should realise that, as a customer, you typically don't have the same chargeback rights when using a banking service like iDEAL compared to what you get with a Credit card. This can be a big deal when, for example, a merchant goes bankrupt before delivering your purchase.
That's the reason they recommended to use a payment gateway that implements all those local payment solutions. For example, in Germany you loose a lot of customers if you don't offer direct debit (ELV) as many don't own a credit card (and don't want to).
> you typically don't have the same chargeback rights when using a banking service like iDEAL
This heavily depends on the service. For example, the upcoming German Paydirekt will offer better chargeback service than most German credit cards (where you typically don't enjoy the US-style "anything is reversible" type of protection).
I can't imagine wanting to give out my bank details to allow direct debit of my account to every online retailer I do business with. Weird.
US consumer protection laws treat credit and debit cards differently. They favor credit cards. The gap between the two is up to the goodwill of your bank.
I prefer to rely on law than goodwill. I have never had a problem with getting a refund on a credit card charge I claimed was fraud.
I have no idea why people choose to use a debit card over a credit card here.
One reason it's so hard to unseat credit cards in the US is because most of the advantages of the alternatives are on the sellers side. The consumer doesn't seen any benefit from switching to Apple Pay or whatever. Most merchant agreements don't even let stores charge less for using non-credit card type payments (although some stores do anyway).
As a US citizen I use my credit cards constantly. It's an instant 1% discount on everything I buy (thanks to the cash back), and its fast and easy. I pay it off every month to avoid paying interest. There's basically no downside to me.
The story would be different if retailers were allowed to directly pass on the service fees however. I would definitely think twice if every time I used it I got surcharged $0.50.
OTOH, my Chase experience was not nearly as smooth.
Don't know about iDEAL, but I think that wouldn't work.
The thing: If you don't implement all of this yourself, you don't need to worry about the details. There are services that happily do this for you.
That being said, direct payment gateways are common, but they require cooperation with banks. There's probably hundreds of them and only make sense on local market where you can have on or two implemented to satisfy 80%+ of customers (and others will just use regular card).
Cashiers in most common shops probably don't even know how to accept a payment by credit card, so the'll just refuse.
Meastro cards are usually protected by a PIN and require a POS system to be used. This was a problem for e-commerce, so the Dutch banks participated in iDEAL. It's basically a redirect from the merchants website to the bank site of the customer, where they use their own cardreader and debit card to validate the transaction before being redirected back to the site of the merchant.
I remember Maestro cards in Sweden as being for under-18's, and then when you become an adult you get a VISA/MasterCard debit card instead, but I don't know if that's true anymore.
That said, the cards themselves use exactly the same technology, look the same and debit cards are usually Maestro/Cirrus or Visa/Plus compatible so we can do debit transactions in europe.
The online version of debit however has yet to catch on.
1) CCs offer rewards (travel, cash back), usually in the range of 2% of purchases
2) CCs offer insurance and extended warranties on some purchases.
3) CCs help you build a good credit rating, which is important for someone who intends to apply for a mortgage at some point.
4) CC offer superior protection to debit cards. Yes, CC fraud may be easy, but as the card holder you will almost never be on the hook.
I've had my CC compromised, the bank detected it immediately and issued me a new one. Never was there any question who would bear the cost of the 5-figures that the fraudster spent. My brother had his debit card compromised once and the story was completely different. The bank wanted him to prove that the fraudulent transactions were not his and he had to go to great lengths to do so.
My personal preferred order of payment is:
Debit (last resort)
However, I never do cash cause I never have cash on me. It's Credit for reward and then debit.
That said, I know a lot of people who don't do the rewards maximizing. Programmer/engineer crowd tends to self-select for people who are logical and number inclined.
This has been as simple as someone using a copy of my card to buy candy and video games, something I could have done but didn't in this case.
Really impressed with the services of my banks when it's come to debit fraud.
We probably have old misbehaving banks to thank for our relatively consumer friendly credit card laws. In countries where the banks weren't quite so abusive the laws could be much weaker and give Debit cards an advantage.
That's because merchants pay 3% or more for a creditcard payment, and something like 0.8% for a local bank card payment (with the online equivalent iDeal). On top of that, there is much more risk accepting the creditcard with chargebacks, while the banks guarantee normal/iDeal payments. So most merchants here really dislike creditcard payments, it "costs them" much more.
Of course I understand that this is not a solution for accepting payments internationally. What I say is that the whole creditcard payment system, as it currently works, should be replaced by something saner, something that looks more like iDeal.
The new regulations apply from 09 December 2015:
Last year it was VATMOSS on 1 January (when lots of people are on leave and lots of purchases are made due to stores running sales, especially online).
ONS retail sales per week in the UK are £9B in December vs. £7B in April or June (last 12 months figures, http://www.ons.gov.uk/ons/rel/rsi/retail-sales/index.html).
Check this response from paypal: PayPal told us that the “European Union’s regulation of Multilateral Interchange Fees (MIF) does not apply to PayPal as we are not an inter-bank card scheme and the fees PayPal charges businesses are not interchange fees”.
As for ATMs, go find a 7/11 or a Post Office and those will work.
We do have both ideal type payments and credit card payments in Finland (I assume ideal is a direct bank payment to merchants account?)
I still personally always use credit card if possible as it gives the customer extra layer of security. For example in cases where you purchase something quite expensive let's say a holiday package if the company does not deliver the holiday, goes bankrupt etc you will get the money back with CC but NOT if you have paid directly via web bank payment form.
Same thing with online fraud, if you pay to fraudulent website it's going to be extremely hard to get your money back if you have paid it directly to scammers bank account.
I was thinking of using recurly and this has put me off somewhat.
The thing you need to remember is that you do have options. If you choose a gateway with good fraud tools, or a gateway that integrates with them, we upstream that information to you. Traditionally Recurly has left fraud up to the gateway because they are much better at dealing with it, but we are now seeing the need to offer some more professional fraud tools by default at the Recurly level.
Feel free to email me if you want to have a discussion about it: email@example.com
Why would using FastSpring be safer than using Stripe?
Fraudulent chargebacks is bad, both economical and psychological. As an online seller it is part of life, but you want to keep it to a minimum, say < 1% of all transactions. I wholeheartedly support the sentiment of the OP, do not use Stripe nor do this in-house. Instead, use a payment provider with a proven fraud protection system, such as PayPal.
For us, there's one killer technique. Detect fraud however you want to / can (this can be a mix of heuristic data from your stats, third party, or whatever you want) - but when you detect it - don't decline the user.
Send them to a fake purchase confirmation page.
Suddenly they'll be getting 100% success from your site, and they'll drop you immediately.
On the backend, put the transaction to manual approval, so if it IS a legitimate client, when they email you, you can manually approve the order.
Over the years, as others have pointed out, detection methods change, but using the above technique invalidates their reasons test with your site. (very similar to Mailinator's technique for people scraping their site.. http://mailinator.blogspot.fr/2011/05/how-to-get-gmailcom-ba... )
> Regarding his fraud issue, I found that my website was being used in the same way when I added a credit card payment form. I implemented a system that first does an "Auth". If that passes, then I pass details to MaxMind and get back a response with a "riskScore". If the score is too high, I void the auth and decline the transaction. This has saved me a lot of chargeback fees, though it's still not perfect. I prefer PayPal because a "not authorized" just reverses the transaction; there is no chargeback fee.
- Osiris (HN user)
IMO, there's more worth reading in that subthread. It's an interesting topic, at least to me. I feel sympathy for any merchant that has to go through this kind of pain.
I actually ran into an issue a little while ago in that I allowed my MaxMind account to run out of queries. Not realizing this, I saw a few days of higher than normal sales but just assumed it was a good day. When the first chargeback came through, I immediately noticed the problem, bought more credits, then began to go through each transaction one and a time and noticed a pattern in the email addresses (all two words followed by 3 numbers @hotmail.com) and individually refunded each and every one of them.
I still got chargebacks but I was able to dispute them by showing that the transaction had already been refunded.
My ideal credit card would be on where the physical card has e-paper on it with a 6-digit PIN that changes periodically, like 2-factor auth, and that PIN could be required for purchases to be authenticated. The new smart-chip cards don't help at all with online purchases, only point of sale.
On a side note, I found that nearly all of my fraudulent purchases came from Vietnam to the point that at one time I put in an IPTABLES rule to block the entire country.
The banks and companies like Visa/MasterCard in Turkey use something called 3D Secure , in which you are directed to your bank's 3D secure page and enter a code that is sent to you via SMS and your CVC number so they have 2-factor auth. Most of the merchants I used in Turkey supported 3D Secure but I don't know the situation with other countries.
Banks in Turkey still support the processing system that is currently used worldwide however some banks have an option where you can cancel all non-3D-Secure online transactions.
Also the chip-and-PIN standard was conceived in 1990s AFAIK so the smart-chip cards are not new at all, they are just not adopted in some countries like US.
I have to use it with most online shops here in Switzerland.
That redirect will kill conversion rates too, being redirected to a site you didn't expect claiming to be your bank but not matching its URL... of course it will freak some people out. Consider that some banks make the Verified By Visa password the customer's birthday (ie something easily researched) and you quickly realize it's a horrible system.
Our bank refunded it alright, though it took about a month, but the next week I received an SMS with a 3D Secure confirmation number for a similar payment, in HKD, with my own card (by the way, the only place we used both cards for payments was Taobao). I was able to call my bank which blocked the card and quickly issued me a new one. At least in this case it both saved us, our bank and some unknown online shop, time and money.
Also, I think the smart way to do 3D Secure is what capitainetrain.com does, they use it only for the first payment of a customer (and explain what's going to happen during the payment process) and all subsequent purchases don't go through it (since the customer has already been verified as being legitimate). It only works when you expect customers to come back regularly, though.
Using customers birthdate is indeed a very poor authentication mechanism, but even that is going to defeat the majority of fraudsters who are simply trying to bulk-authenticate a list of CC numbers. Personally, I don't give my real birthdate to any website unless they have a very good reason for knowing it.
My bank asks for three random characters from my online banking password (the same mechanism used to log in to my online banking) which provides enough security without risk of revealing the full password to key-loggers, etc.
But since the actual authentication mechanism is left up to the card issuer, there's nothing to prevent them using more advanced systems - like 2-factor authentication, hardware tokens, etc.
How can the bank know what any of the letters in your password are unless they are storing it insecurely?
It's not a good solution anyway. A phishing page could easily claim the entered password was wrong and ask for another one (starting at another offset). Most passwords are probably <= 9 characters, so you'd have the full password after 3 attempts.
Fishing attacks are difficult because the attacker would have to be able to determine which bank a card was issued by, and present the correct 3D secure interface specific to that issuer. Many issuers also add a customer-personalised image or message to the interface to further reassure customers of authenticity.
The only alternative I can think of is that they'd also create and store a hash of every possible three-letter combination based on your password which does not seem likely.
It works as follows:
- Merchant redirects me to his payment provider
- I enter my debit/credit card number into the payment provider screen
- I am redirected to my bank website, and am able to verify the URL (no iframes anymore!)
- My bank has two methods of verification: scanning a QR-code with the mobile banking app on my phone, or logging into the online banking website (with a Vasco DIGIPASS 836, which requires a debit card+pin to generate a OTP)
- I verify the amount and creditor in the mobile/online banking app, and sign the transaction with my mobile pin/digipass.
- I am redirected back to the merchant.
All in all, I think it costs me 30 seconds to complete the extra 3D-Secure steps when using my mobile banking app.
Everyone uses it now in the UK and you always get redirected to the exact same page. I expect it, it doesn't put me off buying.
So it's a bad objection to the system, because once everyone's using it, it becomes the norm. Yes, there will be a dip in conversions to begin with as consumers are scared by the new page, but it will recover. Some people's implementation sucks, but that's a different matter.
It's a complete flip of a coin whether the dodgy collection of forwards and cookies and iframes will go wrong somewhere, and such failures are always handled in the most user-hostile ways. I can completely understand why Amazon and so many other retailers just don't bother with it.
Visa's own documents now recommend only using Verified By Visa on transactions that look suspicious after running risk analysis, and cite that using it on all transactions was resulting in a 3 - 5% Abandonment rate in the UK.
"Higher conversion rates – following the implementation, abandonment dropped from over 4% to under 1%"
Given how few sites actually implement it, it becomes a pain to use if you have to dig out the password or set it up on first use.
I can never work this out; it seems that scammers from different countries (or using hacked servers / proxies?) are attracted to different sites or types of ecommerce sites.
- One of my sites has huge fraud from Ukraine and Russia
- Another from Indonesia
- Another's problem country is Pakistan
I typically use https://siftscience.com to identify fraud, plus country-level blocks where it makes sense.
Damned shame that all the legitimate users from a given country get blocked thanks to the fraudsters!
Still many orders originating from Mexico seemed like they might be genuine, as the customers had filled in the questionnaire with their favorite animes etc. valid looking answers, so I didn't want to block the entire country.
My theory is that there really was some kind of media mention there, which resulted in some real orders but also some fraudster happened to hear about the service that way as well.
it seemed possible that I had been mentioned in some local
You may be interested in the system I use with my bank in the Netherlands.
The old system worked like this: The bank gave me a device they called a "Random Reader". To make a payment, I had to insert my card into the device, enter my pin, enter a (random?) number that the payment site gave me, and enter the amount. It then gave me a number back that I had to give the website, which authenticated me.
These days I use a "Rabo Scanner", which works the same except instead of entering a code and the amount it has a camera on there that scans a kind of barcode on the screen that contains that information.
So it does use the smart-chip, and the (8-digit) pin changes every time you make a payment. You do have to take the device with you, but it isn't very big.
Since pro accounts initially cost £6 for month, it turns
out that this is low enough that it won't send red flags
to stolen cards
Edit: more importantly I never even thought Inwoukd need to implement fraud detection - is there a primer on "things you never thought of when selling on line - from VATMOSS to Vampires"?
So if you sell something small, you'll be used to validate newly bought cards before they go off and buy $1000 of something else.
So I cancelled VeriSign and the merchant account, and use paypal and Amazon Payments instead.
I did make the rounds of a few banks, all were eager to set me up with a new merchant account. All gave me blank stares when I asked if they had any means of preventing carding attacks or other frauds.
 A carding attack is when there's an attempt to buy something for $0.00, just to see if it is rejected or not. I was getting one every minute or so. I got charged for every one of those, and so soon had racked up a grand in charges.
It's not my idea of fun to try look at these transactions manually, so until I get a motivation boost to go through with the integration it'll probably be PayPal-only.
I really like https://siftscience.com.
The important thing is to not over-think things; it's rarely that case that you truly, honestly, really need real-time automated fraud detection.
Start with implementing the absolute bare minimum. You'll then receive emails from e.g. Sift when a bad user is identified, and you can manually refund the transaction, cancel the order, and block the user.
Suddenly one day, hundreds of donation attempts. Checking the failed transactions, the script was trying $1, then $2, etc up to $22 then starting over, each time with a different number. About $200 in successful donations came through before I caught it.
So I just shut it all down for now. I'm not really sure how best to fix it. The club has no money and already complain about the transaction fees they get charged per swipe (and those are all pretty standard rates in the U.S.). Being a non-profit, they expect a lot of stuff for free, and unfortunately won't consider paying for an anti-fraud service. Even PayPal takes too big a cut.
Realizing that this wasn't a helpful comment, just a "me too." It sucks. Oh well.
It's the financial equivalent of having a tumor that will kill you and refusing the surgery because the doctor says you have a chance of dying on the table.
Of course, that conversation happened way before the site was used as a credit card validator. Trying to explain to them the bad side of charge backs and why this is a big deal is an on-going challenge. The last time I discussed it with them, they kept asking me if they were going to get stuck with all the transaction fees.
And, being a developer, my first gut instinct is stepping back and saying "you're wasting money here and here and here and here, cut down these inefficiencies and it'll all balance out." However, it's not as simple as that. Everyone needs to be on board, and the people in charge of these things are already overworked and not highly paid.
A catch-22, I suppose. I try to stay out of it as best I can. I made them the site for free in exchange for our two kids to use the club's stuff for free, and with those inefficiencies I hinted at, I can't afford to get caught in being the role of business consultant too.
1: Using the site as a credit card validator. Only the real ones will get through.
2: By making donations to places with a stolen credit card little bits at a time, it establishes a wider pattern of use for that card. Fast forward a couple steps ahead, the purchases are getting a little weirder each time, and before you know it, you're at whatever level people use stolen cards to buy.
3: Tiny non-profits generally do not have a great deal of extra man-power to deal with such things, and there's a better chance that this sort of behavior goes unnoticed.
4: When people see weird charges on their card, some people are more likely to feel bad enough taking away money from a non-profit organization that they won't report the abuse, or they may not question it if the card is joint-used.
I'm sorry that I don't have sources on these, the research was from a couple of months ago. It's pretty frustrating and there seems to be little retribution for things. You have to just change your charge flow and move on. :/
Even if you don't use us, we published some articles to help merchants new to dealing with fraud:
Deep down, I would love to support TOR in principle. I know there are people living in oppressive regimes that need access to information. I want to support that side of TOR. In reality it's still the transport tunnel of choice for scammers and criminals. The costs just don't outweigh the benefits. Considering the CDNs that block TOR (Akamai, Cloudflare, Incapsula, etc), you wouldn't be the only one blocking TOR. I'd also throw in EC2, GCE, Azure, and Rackspace IP's too.
I wonder if there might be an opportunity there? Or if the solutions have to be so custom that it'd be impossible to work out.
Mastercard and Amex have equivalent services, and these are all widely implemented by websites and card issuers in Europe and other countries.
I suppose they are not so widely deployed in the USA or Japan, but at the very least, you'd protect yourself against fraud involving cards issued in countries that do use it.
A PIN can be required for "cardholder present" transactions in most of the world. Some combination of card issuer, transaction processor and merchant decide at what value transactions may proceed without a PIN — e.g. a train company's actual loss from a fraudulent ride is very small, so they might not want the delay of asking for a PIN on a ticket machine. Similarly for McDonalds. But if you're buying a TV, you will need to use a PIN.
It's almost 100% of transactions in much of Europe, over 80% in Africa and South America, lower in the old Soviet Union and Asia: https://www.emvco.com/about_emvco.aspx?id=202
Unless the customer is using contactless payment card?
Newer payment terminals can support device-based customer verification for contactless transactions, called CDCVM. The transaction limit doesn't apply if CDCVM is used. This is the mechanism used by Apple Pay, where you verify your identity using your fingerprint via Touch ID.
My bank asks for three random characters from my online banking password (the same mechanism used to log in to my online banking) which provides enough security without risk of revealing the full password to key-loggers.
That's terrifying, really. They shouldn't have any way of getting that data out of the hashed password.
But then the bad guys found it. And individual users started updating their card details dozens of times each day.
This went on for several days before I noticed it in the logs. It was easy enough to fix: users now get one update per year, unless they email me and ask what's wrong with that card update page. The bad guys moved on to greener pastures and life went back to normal.
I remember we used to deal with a lot of this at Twilio, except the carders would then also try to cash out the credit card into Twilio credit. The pattern was try to spend $10 on a card, then one minute later try to spend $1000 once the first charge went through.
But it's a lot less costly than toll fraud, which I learned the hard way working on our auth system at https://charge.co.
It's almost like they want to charge you those fees!
GoCardless (Direct Debit, EU only at the moment) is one company that doesn't charge a fee for chargebacks. They take on all the risk themselves.
Also happy to answer any questions about general mitigation techniques.
Edit: Interestingly enough, www.smyte.com is fine, but smyte.com yields the 500 error.
What's the difference between you and Sift, and what advantages do you offer over them?
>Happy to chat more about specific use cases over a medium that's better suited to it; mind shooting me an email?
Well, I could do that; I'm just not sure why you'd invite questions on a public forum and then quickly switch to email :-)
That said, I really don't know why anyone would want to try and write their own payment integration gateways nowadays. There are so many good alternatives out there. Why not use them? You should focus on what you love, not payment processing. If you're just selling simple goods, you can easily setup a store on Shopify, Weebly, WIX, etc. Let them handle the fraud stuff. Sure, you might be on the hook for a few bad charges here and there, but at least you didn't waste hours writing payment code.
So far it's worked for me.
I definitely agree no Dev should write their own gateway. There are great ones out there who are developed by people who are paid to do nothing but that.
Maybe you should set yourself up some email alerts when things seem 'off'. i.e. no referral, and the user/bot spends no time filling out the form and hitting submit. What's your glue code like?
I'm rootin' for ya. :-)
This fraud would have been easy to detect if there had been any kind of detection system in place. But I had no fraud checking, captcha or 3-D secure, as I hadn't expected there to such a "fraud wave".
Those payments didn't feel like necessarily coming from a bot, as there were time delays and for many purchases they even filled in the questionnaire. It felt more like someone had a pile of numbers they were entering manually.
My form made that easy to do, as I had tried to eliminate any field which wasn't absolutely necessary.
Definitely wouldn't discount that possibility. Unrelated to CC processing, but we used a service that gave us a device ID on signups to detect people signing up multiple times (a tipoff that fraud was likely to come).
We later found fraudsters were using Amazon's Mechanical Turk to get real people to register manually, thus getting around our device detection.
If a bunch of people had bought these packs of stolen cards, wouldn't they be spreading out over a bunch of different sites?
This is also why fraud detection is a big industry, you basically need full time staff to analyze the current types of fraudulent transactions and update your filters as fast as the criminals update their systems.
The credit card security model is broken as designed with the exception of chip and pin and chip and signature.
Uptake for 3D Secure is uneven around the globe. Some places it is mandatory and others unheard of. For example not using it will negatively impact close rates in India but using it in the U.S. will negatively impact close rates.
With 3D Secure each issuing bank was responsible for how they implemented the process and it varies widely in both ease of use and security between issuing banks. Some banks may use simple passwords that can be fished while others may use one time pins sent by SMS to your mobile.
When a merchant uses 3D Secure fraud liability shifts to the issuing bank and the merchant gets a discount on the interchange. This is also true when the bank hasn't implemented 3D Secure or has done so poorly. Because of this when 3D Secure was launched some banks put out systems that were non-functional simply to avoid the liability shift (i.e. it would prompt for a password but there was no functionality to create one). Issuing banks have gotten their act together in the last decade but it's still uneven.
Even when a merchant implement 3D Secure the merchant still needs to manage fraud levels to card association rules even though the merchant does not have liability for the fraud. This is the "we have to assume the risk but we don't have to do business with you clause." Individual issuing banks may chose to decline all of a merchants transactions if loss rates are unacceptable and the merchant may still lose their merchant account if overall loss rates are too high. However because the charge back shifts to the banks the merchant may not even know which transactions are fraudulent.
Recently rules have been changed so that banks aren't required to prompt for authentication in all cases. This is called risk-based-3D secure. So even if Candy Japan had implemented it he still may have seen the attack because the banks may not prompt for that low of an amount. He wouldn't be out the money but still may be in trouble with the association if he didn't do something to stop the attack.
When looking at automation there are two fundamental risk that any solution needs to address. The first one is class separation which in the industry is known as scoring or out-sorting. In this area machine learning algorithms are well understood and there are a few companies on the market that will rent merchants a model such as Sift Science or MaxMind.
The second one is anomaly detection and in the industry this is know as velocity control. The problem is similar to detecting a hacker once they have penetrated the network, detecting a bio-terror attack based on hospitalization data or detecting insiders who have flipped. These types of things have generated a lot of military interest and a lot of DARPA funding but little of it has made it into the commercial market due to the high rate of false positives.
Card testing is one example of a 'high velocity' attack and are usually the work of professionals. High velocity fraud has been more common with digital goods but more recently we've seen more high velocity attacks where an attacker will upload a merchants products on a site like Amazon or eBay. When the attacker gets a sales they will use stolen credit cards to get the trageted merchant to fulfill the order. Since these are professionals they generally will have tested the merchants fraud systems to understand what is considered low risk by the merchants fraud models and unless the merchant has some monitoring losses can be very high by the time the charge backs start coming in.
Currently there is no automated, fool-proof method for managing these high velocity attacks that I'm aware of. Merchants initially started putting limits around the number of times that a single card could be used and the attackers responded with SQL injection attacks to get card in mass. Merchants responded with limits on email addresses or other data points and the attackers responded by mass registering emails on free email providers and registering their own domains. Merchants responded with limits on IP addresses and used of geo-ip location services and attackers responded with open proxies and VPNs. Merchants responded with limits on orders from co-location facilities and VPN providers and attackers responded by compromising end-user machines en-masse. Merchants responded with proxy detection and device fingerprinting and attackers responded with using RDP to end-user machines to launch attacks. And it continues.
To be able to compile and sell these packs, the carders need to know which ones are valid. To do this, they will use an online store or service to place an order for the sole purpose of seeing if the charge goes through or not.
So if I did a test of showing only PayPal to half of customers and PayPal + credit cards to half, the one with CC could win just because of the fake sales.
At least then you don't get hit with chargebacks.
You can complete the transaction by sending a 'completion' request, at which point the credit is gone.
The preauth also has an expiry. If the preauth expires, the funds are released with no transaction taking place.
So when a user signs up, take a preauth. If you have any reporting on your sales, like this guy, you can check for any anomalies before fulfilling orders. Anything that looks odd, don't complete the order.
Are they too expensive per purchase?
(And typical checker traffic is more like thousands of transactions rather than tens)
It seems much much more likely that someone was just trying to card some candy.
Could you start shipping biscuits or chocolate candy again, I am a bit disappointed with the stuff you currently include in your packages :-(
1) It's a pull instead of a push. Anybody with your CC details can attempt to charge it. Bitcoin model is much more sane.
2) There's not even a "approve the charge" option.
3) The cartels controlling the credit card systems charge insane amounts of money for transactions, attempted or real.
I really want Bitcoin or some other alternative to succeed.
Transaction fees for a failed credit card payment? Its more than insane.