I have been reading the post in here about credit card fraud and different billing software with automation and still have a few questions on how the system flows.

1. Doesn’t a merchant account like Authorize.net protect against credit card fraud? They say they have the most advanced system in the world that protects against fraud. I understand that it's not 100% but are there better merchants that have a better verification systems than others?

2. How do you know when you have a fraudulent account, instant, days, weeks, months? How long does it take to know?

3. If you are using an automated sing up like PHPManager doesn't that (or can) have pending account creation before based on acceptance or rejected customers based on their credit card information before their account it set up? But I guess is would also be based off of how quick credit card fraud was detected.

4. I don't really understand why someone would want to use a stolen credit card to setup a hosting account…because they will eventually get caught and their account will be closed within a month or so… I don't see how they could even benefit from it… I must not be seeing the whole picture on this.

5. How do most companies handle this?

Thanks for in advance for any input.

-Darren

Hi Darren,

Good questions. Obviously, the one thing you must remember is that many of the fraudulent attempts and successes come from people who make a living out of frauding others.

I've never been a customer of Authorize, but i've heard that they usually do a pretty good job at checking on the credit cards.
The thing you must remember though, is that sometimes, the cards will not be reported stolen yet - because they were taken from an online database, and the owner doesn't know that his information was actually stolen. (cause hey.. the card is still in his wallet!)

As far as knowing when you have a fraudulent account, my company goes about it a different way when a customer orders from us -

*First, we have them fill out a service request form - this tells us exactly what the customer wants to purchase. It also allows us to receive their basic information (name, email, phone, etc..)
*Next, one of our Customer Agents will contact the customer via whatever means the customer asked to be contacted by (We prefer to give the customer a call).
*After making contact with the customer, we send them the contract, aup, tos..etc.. , and we either have them fax it back to us, or digitally sign it.
*Immediately after receiving the contracts, we send the customer a link to a payment form, where they enter their credit card information, and POOF! They are a paying customer.

Now, it's a little easier for my company to do this, because we only sell made to order dedicated servers and colocation services. We don't have anything that is "instant setup". However, because we make an attempt to talk with our customers via phone, or at least have them need to send us something, it really cuts down on the amount of fraudulent buyers who think it is worth the effort.

To answer your 4th question.. I think that most of the time, when you hear about a company's database being hacked.. there is probably one company's database that you don't hear about, that got hacked. Unfortunately, the stolen credit card information makes its way from criminal to criminal on the internet, and i'm betting that most of the orders that hosting companies receive come from the "newbie" hackers shall we say - most likely kids who have gotten them from someone else and obviously aren't smart enough to figure out the fact that their account will be closed soon.

It's sad, it costs people billions of dollars per year, but that's the way it is.

Final point,
Know your customers. Call them up (if it's okay with them), and ask them how their services are.. it's better to catch someone committing fraud by putting a little effort into it, than to let them steal your services for a few months, and be out that revenue.

Hope this has helped some,

Best Regards,

Nick Leavens

Nick thanks for the information... and yes it was helpful

-Darren ;)

Most fraud orders are quite obvious to detect. They don't input a real address, the telephone number is fake, the zip code dosen't exist etc. 90% of fraud you can pick up this way if you manaully approve new accounts. You can also do matches on telephone numbers and zip codes at the right place, do searches in google on the email used to see if anyone has posted the email anywhere etc. The other 10% are a bit harder when someone looks up in the telephone book a real addess and uses that. I called one person whose number was listed after they ordered my software and they said they had had about 10 calls in the last two weeks, someone was just using their address all the time with lots of different fake credit cards! There is really not much you can do about this and it is probably part of the losses you are going to have to accept (at least with webhosting you are not shipping a tangable product that you have to directly pay for).

revecom.com has a good system for detecting and stopping fraud. I have had about 25% fraud rate so far from hosting customer requests, and they didn't let anyone slip through. Most times I get the same person requesting a fraudulent account- revecom stops them- then they try to signup with another card / another name / another address and they again stop them. I am happy with revecom.com in this respect and it has saved a lot of trouble.

JDT

One thing about fraudulent sign-ups isn't so they can get webhosting....it's to see if a card is valid. They don't care if they get shut down within a month, and chances are they won't do anything with the site you set up for them (unless its spam, etc). For those folks that do any affiliate marketing, like with Commission Junction, this is a major cause for reversals. People using stolen cards will often times purchase something small to see if the card is valid....and no red flags go up.....I believe it is the same situation with webhosting. What they do after checking its validity is beyond me though...