Results 1 to 6 of 6
  1. #1
    Join Date
    Mar 2002
    Posts
    154

    How secure is fully automated CC processing?

    I've been looking at various automation tools and I'm wondering if full automation is a good thing or if it could leave me with hundreds of dollars of fraudulent charges. To me it seems, that somebody with a fraudulent credit card could do an incredible amount of damage with a system like phpmanager where once a CC is approved an account is automatically created. It's even worse with domain names since they are non-refundable.

    Do CC processors like 2checkout, Authorize.net take responsibility for transactions they approve which later turn out to be fraudulent or does the merchant? I'm thinking it should look something like this:

    Customer makes CC transaction -> CC processor approves -> automation script -> creates service/product

    I guess the question comes down to giving customers instant gratification vs. own security/liability.

    Do most people use full automation or somekind of semi-automation? I'm interested to know what others have done in this situation. When I look at the popularity of phpManager, I assume a significant percentage must use full automation.

    Greatful for any advice

  2. #2
    Join Date
    Jul 2001
    Location
    Boston
    Posts
    354
    I don't believe that accounts HAVE to be automatically created with phpManager. They can be put in a "Pending clients" area where you have to activate their account.

    I decided not to go with full automation. Most (of my) customers didn't have a problem waiting a few hours for me to get around to activating their account... plus it really doesn't take much time.

  3. #3
    Join Date
    Jul 2001
    Location
    Australia
    Posts
    113
    Dont revecom.com and 2checkout.com do a security check(all this stuff advertised on there site about creditcard checks or something) first befor they give you the go ahead?

  4. #4
    Join Date
    Mar 2002
    Posts
    154
    mikeknoxv :
    I don't believe that accounts HAVE to be automatically created with phpManager. They can be put in a "Pending clients" area where you have to activate their account.
    Yeah, I've heard of this but wasn't sure how clients would react. I'm less concerned with web hosting clients as I am with domain name purchases. I would think that with domain names, customers are eager to claim that domain before anyone else. Imagine somebody signing a domain with you and while that order sits in "Pending clients" it is snapped up by somebody else.


    Vinh:
    Dont revecom.com and 2checkout.com do a security check(all this stuff advertised on there site about creditcard checks or something) first befor they give you the go ahead?
    Yes, I will have to verify this with them personally. But from what I can gather, transactions can be approved and 24 hours later they can notify you that the transaction was a fraud. This is not a problem with webhosting because you can quickly cancel the account but with domain names, if a fraudulent buyer purchases a hundred domain names, I cannot undo a domain name purchase.

    I guess I will have to risk the customers domain name being bought up for the sake of my own liability/security.

  5. #5
    My suggestion is to not commit to anything like that anyway in regards to domain names. Let the client pay for the domain name, there's no reason to get involved in that aspect, and it's better to let the client fill in whatever information for contacts they want. Unless you're an openrs, you can simply assist them and even provide some gateway to a registrar of your choice to make it a little easier by how the fields are described. I think then the big concern would be people using these cards to get into your server and then who knows what. What is the nature of the way you register domains anyway?
    Robert McGregor
    URL: http://www.2host.com
    Email: robertm@(nospam)2host.com

  6. #6
    Join Date
    Dec 2001
    Posts
    539
    The inital verification is simply that the Credit Card company approved the sale, and that the customer input enough correct information to pass the AVS & CVV2 screening.

    If the AVS was tuned to 100%, there'd be numerous complaints about cards being rejected for an address or phone number typo....or because some one puts 4 - 79 Blah Street, when their CC company recognizes it as 4-79 Blah St., or Apt 4, 79 Blah Str.

    Currently, any transaction that fails a part of the AVS, but still passes the original screen, generates a "High Risk" email. This warns the seller to take more care in servicing the order.

    We are programming a variable to be included for e-products and auto scripts, that would save sellers from supplying the downloadable product automatically, to find the transaction ended up getting kicked as fraud.

    This would come into play for hosts that automatically set up accounts from the transactions received. In the cases of a transaction that triggers the variable, the scripting on your end could hold the order for manual input.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •