I have a website that processes a fairly small number of monthly credit card transactions, 1-4 per day. However, it didn't take long for the website to be used as a place for requests, mostly from Vietnam, to check the validity of CC numbers. It cost me a lot of money in chargeback fees.
I ended up implementing a system using Braintree to do
1) Request an AUTHORIZATION for the amount
2) If the AUTHORIZATION fails, return the error (sounds like I need to change this part, but how to do it without hurting legitimate users?)
3) Send information, including IP and email address, to minFraud
4) If the minFraud riskScore is >= 20, request a VOID on the authorization request
4b) If the riskScore is low, submit a REQUEST SETTLEMENT on the AUTHORIZATION
This has worked extremely well, but a few still slip through the minFraud check.
Even though Braintree offers it's own fraud checking, I still feel more comfortable with minFraud. I really wish that processors like Braintree would put more effort into fraud detection.
I NEVER have this issue with PayPal transactions. Even if it's fraud, they just reverse the transaction and there's no chargeback fee.
I am a native-born American citizen living in Russia.
The amount of grief that your solution causes me is significant. I'm a legitimate customer who does nothing fraudulent. However, whole swaths of the internet treat me as if I have leprosy just because my IP address is in Russia.
I don't know how to say this without coming off harsh, so I'll say it and ask you to use the principle of charity when reading it.
If the Russian state refuses to stamp out crime that is causing negative externalities, then people should rightly stop dealing with people inside Russia as a logical response.
Part of the role of a government apparatus is to enforce social norms. Culture plays a similar role. They aren't the same thing, but they do have similar attributes.
Please note that I am not criticizing any governments or culture; I merely wonder why we're OK with nationalism like this, but not racism.
> I merely wonder why we're OK with nationalism like this, but not racism.
I'm not appealing to nationalism? "Russia" could be a stand-in for any controlled territory.
For example many businesses that trade online in the US attempt to exclude people from the Eastern District of Texas in their terms and conditions. Why? Because the courts there are very friendly to plaintiffs in patent cases and they'd prefer not to get sued in that jurisdiction.
That district is causing a negative externality to people outside of it, so they refuse to do business with it.
Freight forwarders are how most of us outside of the US get stuff from companies that only ship to the US - There must be a market for such services that ship to Russia too.
As a seller, it is not your responsibility to compensate for the fraud issues impacting your customer's ability to participate in the marketplace without it being worth it.
I don't know exactly what causes Russia to be a fraud hot spot but Australia not to be, but the issue can only really be resolve inside Russia.
Because it's trivial for Vietnamese carders to pretend to be from any country they need to be if you're checking? They don't even need to actually get your delivery to win, they're just tasting for validity.
We ran a fairly prominent online store for two years, and had huge amounts of fraud from the countries you mention.
We essentially stamped it out overnight by giving false positives. If we detected and order as fraudulent (and you can do it in a number of ways, that you seem to be doing) - we'd show a 'Successful Order' page and send them a success email.
The guys that were pre-testing cards had bad data, and the guys trying to fraud would have to wait .. weeks to find out nothing came in the mail, and then try again, unsure what got them caught in the first place.
Personally, I'd avoid trying to interract with their card. Authing / voiding is going to cost you money, and if it slips through, you'll get a chargeback.
We only ever had one 'false positive' (or false-negative..?) - the guy emailed us inquiring about his order, we took some extra steps to check his card, and the problem was solved.
I ended up implementing a system using Braintree to do 1) Request an AUTHORIZATION for the amount 2) If the AUTHORIZATION fails, return the error (sounds like I need to change this part, but how to do it without hurting legitimate users?) 3) Send information, including IP and email address, to minFraud 4) If the minFraud riskScore is >= 20, request a VOID on the authorization request 4b) If the riskScore is low, submit a REQUEST SETTLEMENT on the AUTHORIZATION
This has worked extremely well, but a few still slip through the minFraud check.
Even though Braintree offers it's own fraud checking, I still feel more comfortable with minFraud. I really wish that processors like Braintree would put more effort into fraud detection.
I NEVER have this issue with PayPal transactions. Even if it's fraud, they just reverse the transaction and there's no chargeback fee.