> Regarding his fraud issue, I found that my website was being used in the same way when I added a credit card payment form. I implemented a system that first does an "Auth". If that passes, then I pass details to MaxMind and get back a response with a "riskScore". If the score is too high, I void the auth and decline the transaction. This has saved me a lot of chargeback fees, though it's still not perfect. I prefer PayPal because a "not authorized" just reverses the transaction; there is no chargeback fee.
- Osiris (HN user)
IMO, there's more worth reading in that subthread. It's an interesting topic, at least to me. I feel sympathy for any merchant that has to go through this kind of pain.
This issue is so costly and prevalent that I feel its a huge disservice for companies that offer credit card services to merchants to not either 1) mention this issue and recommend a fraud check service, or 2) include fraud protection in their service.
I actually ran into an issue a little while ago in that I allowed my MaxMind account to run out of queries. Not realizing this, I saw a few days of higher than normal sales but just assumed it was a good day. When the first chargeback came through, I immediately noticed the problem, bought more credits, then began to go through each transaction one and a time and noticed a pattern in the email addresses (all two words followed by 3 numbers @hotmail.com) and individually refunded each and every one of them.
I still got chargebacks but I was able to dispute them by showing that the transaction had already been refunded.
My ideal credit card would be on where the physical card has e-paper on it with a 6-digit PIN that changes periodically, like 2-factor auth, and that PIN could be required for purchases to be authenticated. The new smart-chip cards don't help at all with online purchases, only point of sale.
On a side note, I found that nearly all of my fraudulent purchases came from Vietnam to the point that at one time I put in an IPTABLES rule to block the entire country.
All of mine seemed to come from Mexico. Either IP being in Mexico or the shipping address being there.
Still many orders originating from Mexico seemed like they might be genuine, as the customers had filled in the questionnaire with their favorite animes etc. valid looking answers, so I didn't want to block the entire country.
My theory is that there really was some kind of media mention there, which resulted in some real orders but also some fraudster happened to hear about the service that way as well.
it seemed possible that I had been mentioned in some local
Since pro accounts initially cost £6 for month, it turns
out that this is low enough that it won't send red flags
to stolen cards
That's interesting (scary). What is the minimum transaction that Visa actually gives a monkeys about? And why, if a card is stolen, does not any activity flag up?
Edit: more importantly I never even thought Inwoukd need to implement fraud detection - is there a primer on "things you never thought of when selling on line - from VATMOSS to Vampires"?
It's not normally a single transaction that triggers the fraud detection, but a small initial transaction (say <$20) then one that's much larger - the first transaction validates the card works, the second one is the money grab.
So if you sell something small, you'll be used to validate newly bought cards before they go off and buy $1000 of something else.
>all of my fraudulent purchases came from Vietnam to the point that at one time I put in an IPTABLES rule to block the entire country.
I can never work this out; it seems that scammers from different countries (or using hacked servers / proxies?) are attracted to different sites or types of ecommerce sites.
For example:
- One of my sites has huge fraud from Ukraine and Russia
- Another from Indonesia
- Another's problem country is Pakistan
I typically use https://siftscience.com to identify fraud, plus country-level blocks where it makes sense.
Damned shame that all the legitimate users from a given country get blocked thanks to the fraudsters!
3D Secure was mentioned in the other thread. Folks recommended avoiding 3D Secure / Verified By Visa because so many banks implement it insecurely, and the redirect model is easy for phishing scams to imitate:
That redirect will kill conversion rates too, being redirected to a site you didn't expect claiming to be your bank but not matching its URL... of course it will freak some people out. Consider that some banks make the Verified By Visa password the customer's birthday (ie something easily researched) and you quickly realize it's a horrible system.
Here in Belgium 3D-Secure is also commonplace, and the experience provided by my bank has significantly improved throughout the years. I also don't think it hurts the conversion of webshops around here because everybody is used to performing these extra steps.
It works as follows:
- Merchant redirects me to his payment provider
- I enter my debit/credit card number into the payment provider screen
- I am redirected to my bank website, and am able to verify the URL (no iframes anymore!)
- My bank has two methods of verification: scanning a QR-code with the mobile banking app on my phone, or logging into the online banking website (with a Vasco DIGIPASS 836, which requires a debit card+pin to generate a OTP)
- I verify the amount and creditor in the mobile/online banking app, and sign the transaction with my mobile pin/digipass.
- I am redirected back to the merchant.
All in all, I think it costs me 30 seconds to complete the extra 3D-Secure steps when using my mobile banking app.
Sure, banks can do it really horribly (most of them), but some use it to force proper 2FA. For example, Nordea asks you to open their phone app and confirm the purchase (with a message that includes the total price) on there.
These verification mechanisms don't freak people out once people are used to them. Pretty much anyone who uses credit cards to buy anything online in Europe will have encountered this system before and will be more suspicious if they don't see it!
Using customers birthdate is indeed a very poor authentication mechanism, but even that is going to defeat the majority of fraudsters who are simply trying to bulk-authenticate a list of CC numbers. Personally, I don't give my real birthdate to any website unless they have a very good reason for knowing it.
My bank asks for three random characters from my online banking password (the same mechanism used to log in to my online banking) which provides enough security without risk of revealing the full password to key-loggers, etc.
But since the actual authentication mechanism is left up to the card issuer, there's nothing to prevent them using more advanced systems - like 2-factor authentication, hardware tokens, etc.
Nobody collects the birthdate. It would be validated by the card issuer against their account records. The merchant doesn't see anything that happens during the 3D-secure part of the transaction.
> My bank asks for three random characters from my online banking password (the same mechanism used to log in to my online banking) which provides enough security without risk of revealing the full password to key-loggers, etc.
How can the bank know what any of the letters in your password are unless they are storing it insecurely?
They could be storing a hash for each trigram in the password (assuming he meant three consecutive characters starting from a random offset). Although it might still leak information that could improve a brute force, I suppose.
It's not a good solution anyway. A phishing page could easily claim the entered password was wrong and ask for another one (starting at another offset). Most passwords are probably <= 9 characters, so you'd have the full password after 3 attempts.
It's not consecutive characters, it's a random set of three. One time it might ask me for the 1st, 6th, and 8th characters. The next time for the 6th, 7th, and 9th. Passwords are required to be at least 8 characters and contain a mix of letters and numbers.
Fishing attacks are difficult because the attacker would have to be able to determine which bank a card was issued by, and present the correct 3D secure interface specific to that issuer. Many issuers also add a customer-personalised image or message to the interface to further reassure customers of authenticity.
This further suggests to me your bank is storing your password in plaintext or reversibly encrypted, which is not secure at all.
The only alternative I can think of is that they'd also create and store a hash of every possible three-letter combination based on your password which does not seem likely.
Well, I used to be rather critical of 3D Secure until a few months ago. My wife's card (on our shared account) got compromised and a 300 euros or so payment was made with it. No 3D Secure enabled for her because she had not given her cell phone number to the bank.
Our bank refunded it alright, though it took about a month, but the next week I received an SMS with a 3D Secure confirmation number for a similar payment, in HKD, with my own card (by the way, the only place we used both cards for payments was Taobao). I was able to call my bank which blocked the card and quickly issued me a new one. At least in this case it both saved us, our bank and some unknown online shop, time and money.
Also, I think the smart way to do 3D Secure is what capitainetrain.com does, they use it only for the first payment of a customer (and explain what's going to happen during the payment process) and all subsequent purchases don't go through it (since the customer has already been verified as being legitimate). It only works when you expect customers to come back regularly, though.
Re: Conversion rates, as a consumer I have got used to it and it does not affect conversion for me at all.
Everyone uses it now in the UK and you always get redirected to the exact same page. I expect it, it doesn't put me off buying.
So it's a bad objection to the system, because once everyone's using it, it becomes the norm. Yes, there will be a dip in conversions to begin with as consumers are scared by the new page, but it will recover. Some people's implementation sucks, but that's a different matter.
I loathe verified by visa. I'll still buy from that site, but only in unusual circumstances. Verified by visa means I'd rather buy from somewhere else.
I'm in the UK and I'm used to it - used to it being a crock of shit.
It's a complete flip of a coin whether the dodgy collection of forwards and cookies and iframes will go wrong somewhere, and such failures are always handled in the most user-hostile ways. I can completely understand why Amazon and so many other retailers just don't bother with it.
Unfortunately the link I'm sharing here is outdated, but Verified By Visa is absolutely a conversion hit, even in the UK. The conversion rate hit was anywhere from 6% to 60% initially.
Visa's own documents now recommend only using Verified By Visa on transactions that look suspicious after running risk analysis, and cite that using it on all transactions was resulting in a 3 - 5% Abandonment rate in the UK.
"Higher conversion rates – following the implementation, abandonment dropped from over 4% to under 1%"
Let me say I vastly appreciate the honesty in your blog series having caught up just now. It's good to hear others have these worries and can learn - if painfully !
> My ideal credit card would be on where the physical card has e-paper on it with a 6-digit PIN that changes periodically, like 2-factor auth, and that PIN could be required for purchases to be authenticated. The new smart-chip cards don't help at all with online purchases, only point of sale.
The banks and companies like Visa/MasterCard in Turkey use something called 3D Secure [1], in which you are directed to your bank's 3D secure page and enter a code that is sent to you via SMS and your CVC number so they have 2-factor auth. Most of the merchants I used in Turkey supported 3D Secure but I don't know the situation with other countries.
Banks in Turkey still support the processing system that is currently used worldwide however some banks have an option where you can cancel all non-3D-Secure online transactions.
Also the chip-and-PIN standard was conceived in 1990s AFAIK so the smart-chip cards are not new at all, they are just not adopted in some countries like US.
> My ideal credit card would be on where the physical card has e-paper on it with a 6-digit PIN that changes periodically, like 2-factor auth, and that PIN could be required for purchases to be authenticated. The new smart-chip cards don't help at all with online purchases, only point of sale.
You may be interested in the system I use with my bank in the Netherlands.
The old system worked like this: The bank gave me a device they called a "Random Reader". To make a payment, I had to insert my card into the device, enter my pin, enter a (random?) number that the payment site gave me, and enter the amount. It then gave me a number back that I had to give the website, which authenticated me.
These days I use a "Rabo Scanner", which works the same except instead of entering a code and the amount it has a camera on there that scans a kind of barcode on the screen that contains that information.
So it does use the smart-chip, and the (8-digit) pin changes every time you make a payment. You do have to take the device with you, but it isn't very big.
Osiris' info was useful. I really also need to put in some fraud detection like that. But there are so many companies providing that service, I'm not sure which one to go with. How involved is it to integrate these?
It's not my idea of fun to try look at these transactions manually, so until I get a motivation boost to go through with the integration it'll probably be PayPal-only.
The important thing is to not over-think things; it's rarely that case that you truly, honestly, really need real-time automated fraud detection.
Start with implementing the absolute bare minimum. You'll then receive emails from e.g. Sift when a bad user is identified, and you can manually refund the transaction, cancel the order, and block the user.
I'm thinking about integrating with siftscience. How trustworthy are they? It looks like you need to send them information about your users and give them script access on your page in order to help identify fraudulent transactions. (which is completely reasonable but still requires a lot of trust on our part)
Something like a simple proxy / VPN IP detection should be used because I assume most of the "carders" don't use their home IPs. There are decent free solutions online like W I T C H and GetIPIntel.
I was using VeriSign for years. Then my site got hit with a "carding" [1] attack. VeriSign was simply not interested in helping with it, the merchant bank I had coupled it with was not interested either.
So I cancelled VeriSign and the merchant account, and use paypal and Amazon Payments instead.
I did make the rounds of a few banks, all were eager to set me up with a new merchant account. All gave me blank stares when I asked if they had any means of preventing carding attacks or other frauds.
[1] A carding attack is when there's an attempt to buy something for $0.00, just to see if it is rejected or not. I was getting one every minute or so. I got charged for every one of those, and so soon had racked up a grand in charges.
From the article, it sounds like they are working in using an existing fraud detection service, would be interesting to see what goes into that sort of service.
Presumably, it would at least involve implementing "Verified by Visa", which protects online transactions by requiring a password or PIN.
Mastercard and Amex have equivalent services, and these are all widely implemented by websites and card issuers in Europe and other countries.
I suppose they are not so widely deployed in the USA or Japan, but at the very least, you'd protect yourself against fraud involving cards issued in countries that do use it.
I'm obviously not an expert, but is there a way to require someone to enter the pin that they use when they buy something in person? (I also found the following FAQ from the link you gave amusing "Why do we need Verified by Visa? Hasn’t Visa been taking my security seriously before?")
The actual authentication mechanism is left up to the card issuer. But using the card's PIN would be considered insecure due to the risk of malware/key-loggers intercepting it.
My bank asks for three random characters from my online banking password (the same mechanism used to log in to my online banking) which provides enough security without risk of revealing the full password to key-loggers.
Which may mean that either the bank is storing your password as plaintext (or is hashing every three character combination possible, which would also help a hacker figure out the plaintext).
Well, it's a bank. If a hacker can penetrate to the point that they can read passwords directly out of the bank's account database, then you have far greater things to worry about than just a compromised password.
Unhashed passwords means a SQL injection hole goes from "I can read some interesting transaction histories and balances" to "I can log in and make bank transfers in everyone's account". There's a reason bcrypt one-way hashing is the recommended standard for any web app.
3D Secure can use 2 factor authentication, using a dongle supplied by your bank. Unfortunately there are so many other problems with 3D Secure that I wouldn't trust it except on high profile websites or for very technically competent users who are able to check the originating site and certificate of the iFrame used (ie. very few people indeed).
> is there a way to require someone to enter the pin that they use when they buy something in person
A PIN can be required for "cardholder present" transactions in most of the world. Some combination of card issuer, transaction processor and merchant decide at what value transactions may proceed without a PIN — e.g. a train company's actual loss from a fraudulent ride is very small, so they might not want the delay of asking for a PIN on a ticket machine. Similarly for McDonalds. But if you're buying a TV, you will need to use a PIN.
There's a (relatively low) transaction limit for contactless payments without additional verification. So, to buy a TV, you still need to enter a PIN.
Newer payment terminals can support device-based customer verification for contactless transactions, called CDCVM. The transaction limit doesn't apply if CDCVM is used. This is the mechanism used by Apple Pay, where you verify your identity using your fingerprint via Touch ID.
That's very interesting, thank you. I've always wondered what the process is for deciding whether to ask for a pin. It's strange to me because I think of someone being there with the card as being more secure than accepting a payment online?
There is a huge opportunity there for companies like Stripe to buy eg MaxMind and integrate a quality risk scoring system directly into their payment solution. It's an obvious product expansion for someone like Stripe. Kind of hard to believe they haven't already gone after this.
PayPal does to some extent. And then people complain about how expensive PayPal is. In a commodity, race to the bottom world of cc processing I am not sure it would be a good business practise to bundle fraud prevention and processing. Let people be bitten and then willing to pay to avoid it is probably a better practise than charging for it up front. But they do buy them. ACI bought ReD last year for instance http://www.aciworldwide.com/news-and-events/press-releases/a...
You would wish so:). But no. Merchants are on the hook for all costs, including penalties for incoveniencing the cc companies (either a set fee per fraudulent transaction, or high fees if exceeding thresholds of fraud if you are a larger guy).
Clearly, card companies are going to have to adjust their policies for failed transactions. It's not like it costs real money to decline a fraud attempt; stop punishing merchants.
Alternatively, small companies started by developers should stop thinking they can implement the payment and order handling code themselves, and learn that instead they should use a service that does this for them.
Yeah, I agree. I guess their argument is that it's difficult to catch every single fraud attempt, and in this case the behaviour was just not picked up by the processor's inbuilt fraud detection systems. Still, it should be the processor's responsibility.
GoCardless (Direct Debit, EU only at the moment) is one company that doesn't charge a fee for chargebacks. They take on all the risk themselves.
My experience with card company fraud detection systems is that they were bafflingly useless. Maybe they've gotten better recently. But even Stripe seems to let through things that are obvious fraud, stuff that wouldn't pass a basic spam filter.
It's almost like they want to charge you those fees!
Currently we're integrating Sift Science to avoid this otherwise serious and annoying issue. I think it happens to everyone who's directly accepting credit cards online. Does anyone have experience with Sift Science or similar services? (I know MaxMind has one but that, to me, seems inferior to SS's.)
Hi Mark, CEO of Sift Science here. Thanks for giving us a shot. Please don't hesitate to ping me if you need any help or we're not delivering to your expectations. jason at siftscience dot com
We have postcodes now! Or well, eircodes. Which are totally not postcodes, but rather unique house identifiers that happen to look as postcodes. And that noone will use.
While many places have postcodes, most don't have postcode validation for credit card transactions. And it wouldn't really help to combat fraud anyway.
Sometimes they do also have address information, sometimes they don't. As with everything, it will reduce the amount a fraud a bit but not eliminate it.
I wonder would that still be the case if Candy Japan was using something like Stripe or Balanced, what happens in that situation? Would you be still responsible for 15 EUR chargeback fee? What did Recurly do in this case?
With Stripe you are still responsible for the chargeback fee, but they do not charge you for transactions that don't go through. They also have some fraud protection, but it did pass some obvious fraud in our case.
Damn shame to hear about this Bemmu -- would've felt like a massive punch to your guts!
Maybe you should set yourself up some email alerts when things seem 'off'. i.e. no referral, and the user/bot spends no time filling out the form and hitting submit. What's your glue code like?
This fraud would have been easy to detect if there had been any kind of detection system in place. But I had no fraud checking, captcha or 3-D secure, as I hadn't expected there to such a "fraud wave".
Those payments didn't feel like necessarily coming from a bot, as there were time delays and for many purchases they even filled in the questionnaire. It felt more like someone had a pile of numbers they were entering manually.
My form made that easy to do, as I had tried to eliminate any field which wasn't absolutely necessary.
Definitely wouldn't discount that possibility. Unrelated to CC processing, but we used a service that gave us a device ID on signups to detect people signing up multiple times (a tipoff that fraud was likely to come).
We later found fraudsters were using Amazon's Mechanical Turk to get real people to register manually, thus getting around our device detection.
All the docs refer to the legal entity, not the brand, which may be causing some confusion. Happy to chat more about specific use cases over a medium that's better suited to it; mind shooting me an email? pete at smyte dot com
Thanks for the clarifications regarding documents. To be precise, my confusion was due to not finding the Smyte brand mentioned anywhere in there, although I did admittedly only skim-read them.
>Happy to chat more about specific use cases over a medium that's better suited to it; mind shooting me an email?
Well, I could do that; I'm just not sure why you'd invite questions on a public forum and then quickly switch to email :-)
We at Ravelin (https://www.ravelin.com) are building solutions to stop this. Still surprises me how many people think banks/schemes are responsible for CC fraud, when it's actually the merchant that gets punished. And yeah, fraudsters operate like locusts.
But why? Ordering periodic shipments of candy from Japan? Most credit card fraud involves something that can be resold. This service gets you a small envelope of candy. It's not like getting cases of Pocky.
" The stolen cards originate from credit card security breaches, resulting in a big list of card numbers. These are later sold online in packs filtered to working card numbers only, which can be purchased for about $10 per valid card.
To be able to compile and sell these packs, the carders need to know which ones are valid. To do this, they will use an online store or service to place an order for the sole purpose of seeing if the charge goes through or not.
This sucks and can often be a crippling blow for a small business if it's not caught early.
I remember we used to deal with a lot of this at Twilio, except the carders would then also try to cash out the credit card into Twilio credit. The pattern was try to spend $10 on a card, then one minute later try to spend $1000 once the first charge went through.
But it's a lot less costly than toll fraud, which I learned the hard way working on our auth system at https://charge.co.
Bitcoin is not the best thing for recurring payment. But it would be great to pay a year in advance with Bitcoin - and yes that solves chargebacks or fraud issues.
I don't understand the search conversion statistic. If a guy is testing a bunch of cards, wouldn't he just find your site once and try them all sequentially?
If a bunch of people had bought these packs of stolen cards, wouldn't they be spreading out over a bunch of different sites?
The automated scripts that the criminals use will try to simulate a real customer signup and transaction, otherwise it's too trivial to filter them out.
This is also why fraud detection is a big industry, you basically need full time staff to analyze the current types of fraudulent transactions and update your filters as fast as the criminals update their systems.
i simple solution to cut down on this is never allow more than 2 or 3 failed card attempt from a single ip address. You have to link it by ip because they will just make a new account if you do it by account. Carder will move on to another site if running cards is not simple and fast
I commented this on yesterday's jsbin article, and I'll write it again.
Don't implement the payment processing code yourself. (And using Stripe is _still_ implementing it yourself - they supply only one part of the process.)
Writing this code will take time that you are not using to develop and market your product. (cf opportunity cost). Your code will be buggy. Your code will be weak. Your code will not support the various alternative payment options popular in, say, Holland. (Yes, this is a thing, and it is called iDEAL.) Your code will sooner or later be exposed to a campaign of fraudulent transactions.
Use FastSpring, or your alternative of choice. Yes, it costs more, if you don't put value on your weeks of time to create and support an alternative, and if are comfortable having a weak fraud detection, if any.
When your business becomes successful, when the fees to FastSpring start to dwarf the costs of implementing a payment system yourself, then - perhaps - consider re-doing it yourself.
There are indeed weaknesses in using FastSpring, which after seven years are becoming a pain for me. I'll be writing about that soon. But this is not an issue for a one-person endeavor getting started.
I'm an engineer so I can't really give you an ETA in public. You could certainly talk to one of our sales or product people about it.
The thing you need to remember is that you do have options. If you choose a gateway with good fraud tools, or a gateway that integrates with them, we upstream that information to you. Traditionally Recurly has left fraud up to the gateway because they are much better at dealing with it, but we are now seeing the need to offer some more professional fraud tools by default at the Recurly level.
Feel free to email me if you want to have a discussion about it: ben@recurly.com
FYI take a look at SiftScience and ThreatMetrix products. They wont process your transaction, but at least one of them offers a zero chargeback guaruntee, at $0.03 per transaction I believe.
Living in Holland, where everyone does online transactions with iDeal, I find it hard to understand why the rest of the world is using credit card payments at all, for anything. It is massively insecure, it's expensive for the merchant, and theft is ignored (when millions of stored creditcard records are stolen, those cards are not invalidated and replaced?). This is all at the cost of customers and other merchants.
I'll keep trying to avoid using a creditcard as much as possible and use other payment methods when I can, both online and offline.
And yes, when implementing payments on a website, use a service that does all of the complex things for you, and never store sensitive data yourself.
iDEAL is fine for transactions between a Dutch client and a Dutch merchant. Other countries also have similar, local payment solutions which bypass credit card processors (e.g. POLi in Australia and New Zealand)
But it does nothing for a business like Candy Japan which sells to a global audience. The advantage of credit cards is that they are one payment system that works pretty much everywhere, worldwide.
Also, you should realise that, as a customer, you typically don't have the same chargeback rights when using a banking service like iDEAL compared to what you get with a Credit card. This can be a big deal when, for example, a merchant goes bankrupt before delivering your purchase.
That's the reason they recommended to use a payment gateway that implements all those local payment solutions. For example, in Germany you loose a lot of customers if you don't offer direct debit (ELV) as many don't own a credit card (and don't want to).
> you typically don't have the same chargeback rights when using a banking service like iDEAL
This heavily depends on the service. For example, the upcoming German Paydirekt will offer better chargeback service than most German credit cards (where you typically don't enjoy the US-style "anything is reversible" type of protection).
For ELV sure. That's the German implementation of SEPA direct debit (which should work almost everywhere in Europe). You can even charge different amount each time, provided you inform the customer before you attempt to charge. For example, I pay my electricity and phone bills by this system, just like my purchases on Amazon and almost everything else that is provided by German companies (just like most people).
Don't know about iDEAL, but I think that wouldn't work.
The thing: If you don't implement all of this yourself, you don't need to worry about the details. There are services that happily do this for you.
I have a SaaS app that has only US customers at the moment but I would love to be able to offer this type of support and begin acquiring European customers. Do you have any recommendations of services that handle this ELV/SEPA/iDEAL type of integration?
> That's the reason they recommended to use a payment gateway that implements all those local payment solutions. For example, in Germany you loose a lot of customers if you don't offer direct debit (ELV) as many don't own a credit card (and don't want to).
I can't imagine wanting to give out my bank details to allow direct debit of my account to every online retailer I do business with. Weird.
Not too different from giving out your credit card number. I can reverse any direct debit online with two clicks and a second-factor authentication. Disputing a credit card transaction here on the other hand requires filling out a form, signing it on paper, sending it via post, and waiting for the response.
After I make my two clicks for which you have several months time (only needed to do that once) the actual transaction is reversed immediatly. That means even if I notice it three weeks later, the bank pretends the direct debit never happened and is not included in any interest calculation etc.
Well, that was my experience with American Express. I noticed a fraudulent charge, called them up and was done 5 minutes later. Everything was refunded immediately after I hung up. That was the end of it.
OTOH, my Chase experience was not nearly as smooth.
That's the whole point of the thread: If you cater to a global audience you can't assume that what works for you will work for someone on the other side of the planet. Different markets tend to favor different solutions in customer adoption, law, and regulation.
US consumer protection laws treat credit and debit cards differently. They favor credit cards. The gap between the two is up to the goodwill of your bank.
I prefer to rely on law than goodwill. I have never had a problem with getting a refund on a credit card charge I claimed was fraud.
I have no idea why people choose to use a debit card over a credit card here.
The thread might be titled "People tend to use the safest (to them) form of payment available". If your credit card laws protect the consumer a lot (like in the US) then you use credit cards. If you have some in-country debit system with better protection you use that instead.
One reason it's so hard to unseat credit cards in the US is because most of the advantages of the alternatives are on the sellers side. The consumer doesn't seen any benefit from switching to Apple Pay or whatever. Most merchant agreements don't even let stores charge less for using non-credit card type payments (although some stores do anyway).
As a US citizen I use my credit cards constantly. It's an instant 1% discount on everything I buy (thanks to the cash back), and its fast and easy. I pay it off every month to avoid paying interest. There's basically no downside to me.
The story would be different if retailers were allowed to directly pass on the service fees however. I would definitely think twice if every time I used it I got surcharged $0.50.
Others have pointed out the consumer protection on the German system is pretty good. The distinction here is that, in the US context at least, it's somebody else's money that is temporarily inaccessible -- you can still withdraw your cash while a credit dispute is taking place.
Having visited NL, my card was practically useless. Any other country no problem, but Netherlands? So I don't understand you really.
That being said, direct payment gateways are common, but they require cooperation with banks. There's probably hundreds of them and only make sense on local market where you can have on or two implemented to satisfy 80%+ of customers (and others will just use regular card).
That's the whole point, in the Netherlands we use debit cards (known as 'PIN cards' to the locals) instead of credit cards. Usually these are Maestro cards. I don't know the exact number, but as a Dutch resident I guess that >99% of all POS transactions are done using such card, not a credit card.
Cashiers in most common shops probably don't even know how to accept a payment by credit card, so the'll just refuse.
Meastro cards are usually protected by a PIN and require a POS system to be used. This was a problem for e-commerce, so the Dutch banks participated in iDEAL. It's basically a redirect from the merchants website to the bank site of the customer, where they use their own cardreader and debit card to validate the transaction before being redirected back to the site of the merchant.
In many countries (such as where I'm from, Sweden, or where I live now, Japan), debit cards and credit cards are interchangeable, and you can't even tell by looking at the card if it's debit or credit. They're both VISA or MasterCard branded, and what's backing it is only the business of the cardholder, not the merchant.
I remember Maestro cards in Sweden as being for under-18's, and then when you become an adult you get a VISA/MasterCard debit card instead, but I don't know if that's true anymore.
In Canada, a distinction is made because the fees on debit are much lower (comparable to cash handling costs) and the banks have put tremendous marketing efforts in pushing for debit cards and branding them "Interac."
That said, the cards themselves use exactly the same technology, look the same and debit cards are usually Maestro/Cirrus or Visa/Plus compatible so we can do debit transactions in europe.
The online version of debit however has yet to catch on.
Canadian here, and I find that most of my peers (30s) use their credit cards for almost everything and their debit cards collect dust. The reasons are several:
1) CCs offer rewards (travel, cash back), usually in the range of 2% of purchases
2) CCs offer insurance and extended warranties on some purchases.
3) CCs help you build a good credit rating, which is important for someone who intends to apply for a mortgage at some point.
4) CC offer superior protection to debit cards. Yes, CC fraud may be easy, but as the card holder you will almost never be on the hook.
I've had my CC compromised, the bank detected it immediately and issued me a new one. Never was there any question who would bear the cost of the 5-figures that the fraudster spent. My brother had his debit card compromised once and the story was completely different. The bank wanted him to prove that the fraudulent transactions were not his and he had to go to great lengths to do so.
I do to for similar reasons. But I will use debit if the merchant extends me a discount, one of the gas station here for example gives me 2 cents off per liter which works out as more than the rewards.
However, I never do cash cause I never have cash on me. It's Credit for reward and then debit.
That said, I know a lot of people who don't do the rewards maximizing. Programmer/engineer crowd tends to self-select for people who are logical and number inclined.
On the other side of the fence, also Canadian, my debit card has been compromised many times. Bank always shuts it down immediately and lets me know, then returns the money. I have never been asked to prove anything. Usually they ask me to double check and see if any other charges than the ones they caught were fraudulent.
This has been as simple as someone using a copy of my card to buy candy and video games, something I could have done but didn't in this case.
Really impressed with the services of my banks when it's come to debit fraud.
Yeah, I have a debit card that works as a Visa card if you choose to use it that way. I never use it though because if someone steals the number it is way harder to deal with fraud on a Debit card than on a Credit card. The consumer protection laws on Debit cards are much weaker than the ones for Credit cards.
We probably have old misbehaving banks to thank for our relatively consumer friendly credit card laws. In countries where the banks weren't quite so abusive the laws could be much weaker and give Debit cards an advantage.
Same is true for Belgium, though the Belgian infrastructure is a little more up to date (most terminals can accept credit cards, if the shop has payed for the quite expensive creditcard processing service with the company issuing the terminals): debit cards are the norm, credit cards are much less common.
iDEAL covers nearly all the dutch banks (10 of them) so no 'per bank' payment systems. Creditcards are not accepted by brick and mortar stores except for some very tourist heavy areas, most people do not have a creditcard here.
That's because merchants pay 3% or more for a creditcard payment, and something like 0.8% for a local bank card payment (with the online equivalent iDeal). On top of that, there is much more risk accepting the creditcard with chargebacks, while the banks guarantee normal/iDeal payments. So most merchants here really dislike creditcard payments, it "costs them" much more.
Of course I understand that this is not a solution for accepting payments internationally. What I say is that the whole creditcard payment system, as it currently works, should be replaced by something saner, something that looks more like iDeal.
The EU is introducing a cap on credit card interchange fees of 0.3%, and 0.2% for debit cards. This is expected to lead to much lower fees for merchants that accept credit cards (and ultimately, consumers).
What's with the EU and bringing in new financial regulations for Merchants around Christmas time??
Last year it was VATMOSS on 1 January (when lots of people are on leave and lots of purchases are made due to stores running sales, especially online).
You can ask your payment processor and they will say their prices will stay the same.
Check this response from paypal: PayPal told us that the “European Union’s regulation of Multilateral Interchange Fees (MIF) does not apply to PayPal as we are not an inter-bank card scheme and the fees PayPal charges businesses are not interchange fees”.
http://tamebay.com/2015/03/new-eu-caps-on-credit-and-debit-c...
Given that a huge number of transactions will be near 1-2 euros, the average cost in terms of percent could really be 0.8%. Not that I've seen the numbers mind you.
Netherlands was also one of the few countries in the world that didn't take union pay (China's atm network), so my debit card was useless. If I didn't have my credit card I would have been totally screwed.
Try Japan. Credit cards won't be accepted half the places you go and only a small percentage of ATMs will allow you to withdraw money from a foreign account at all.
Credit should be accepted in stores where you're expected to spend over 10,000JPY/$100, but anywhere small is cash-only. In Tokyo you might be able to NFC pay from your transit card balance, and the taxis take cards.
As for ATMs, go find a 7/11 or a Post Office and those will work.
> Living in Holland, where everyone does online transactions with iDeal, I find it hard to understand why the rest of the world is using credit card payments at all, for anything.
We do have both ideal type payments and credit card payments in Finland (I assume ideal is a direct bank payment to merchants account?)
I still personally always use credit card if possible as it gives the customer extra layer of security. For example in cases where you purchase something quite expensive let's say a holiday package if the company does not deliver the holiday, goes bankrupt etc you will get the money back with CC but NOT if you have paid directly via web bank payment form.
Same thing with online fraud, if you pay to fraudulent website it's going to be extremely hard to get your money back if you have paid it directly to scammers bank account.
There are many reasons to use credit cards, and some of what you said is just not accurate:
- The vast majority (probably 95%+) of cards have rewards built in. Everything from miles to redeem on travel and accommodations to the most common being cash back credited against your account. These can range anywhere from 1% to 5% outside of special promotions where you typically get even more.
- They offer increased consumer protection in the form of warranties on items you buy in addition to the manufacturer's warranty.
- They offer increased consumer protection in the handling of charge backs, fraud prevention and being able to easily dispute charges (typically online).
- Of course if a card is stolen the number is invalidated and the physical card replaced - I don't know where you got the idea that this doesn't happen.
- None of this is at direct cost to the customer - assuming you pay off your statement balance prior to the due date, you are not charged interest and unless you have a card with an annual fee (most do not and if you have even decent credit it's trivial to upgrade to a card without one) all these features are free.
Those benefits don't come without a cost though, and not just from cardholders who do carry a balance and pay interest. The merchant fees, chargebacks and other costs get tacked on to their COG.
Then who do you think is paying for those rewards/cashbacks? Who is paying for the extra warranty? Who is paying for the costs of the chargebacks and the replacement of cards that get stolen by the millions?
The answer could be you, creditcard users who dont pay off in time, or people who use other payment methods. It certainly isn't the banks or the merchant who's paying all this.
Just for the record, as a Dutch person, Holland refers to the two provinces North and South Holland and there is more to the country than just that. The Netherlands would be more accurate.
Don't feel too bad. My sister's husband is Dutch and even he refers to The Netherlands as Holland now and then (as does his family and other Dutch people I have seen). It's not the end of the world.
Fraudulent chargebacks is bad, both economical and psychological. As an online seller it is part of life, but you want to keep it to a minimum, say < 1% of all transactions. I wholeheartedly support the sentiment of the OP, do not use Stripe nor do this in-house. Instead, use a payment provider with a proven fraud protection system, such as PayPal.
I had something similar happen with one of my services. I have an "Update your Payment Details" page for paid subscribers that lets them enter new card details when their old card expires or they just want to switch the card they're using with us. It normally gets used a few times a month, and anywhere from zero to one time over the lifetime of a customer.
But then the bad guys found it. And individual users started updating their card details dozens of times each day.
This went on for several days before I noticed it in the logs. It was easy enough to fix: users now get one update per year, unless they email me and ask what's wrong with that card update page. The bad guys moved on to greener pastures and life went back to normal.
Last time I talked with a credit card company, they wouldn't even let me file a chargeback until 30 days after the transaction. How would this stop chargebacks?
A preauth on a card reserves the credit without actually completing the transaction. The credit is still there but not available for use.
You can complete the transaction by sending a 'completion' request, at which point the credit is gone.
The preauth also has an expiry. If the preauth expires, the funds are released with no transaction taking place.
So when a user signs up, take a preauth. If you have any reporting on your sales, like this guy, you can check for any anomalies before fulfilling orders. Anything that looks odd, don't complete the order.
Braintree offers "advanced fraud protection" if you pass device information along with the transaction request [1]. Has anyone tried using this, and if so, is it effective at stopping this problem?
207 comments
[ 3.4 ms ] story [ 244 ms ] thread> Regarding his fraud issue, I found that my website was being used in the same way when I added a credit card payment form. I implemented a system that first does an "Auth". If that passes, then I pass details to MaxMind and get back a response with a "riskScore". If the score is too high, I void the auth and decline the transaction. This has saved me a lot of chargeback fees, though it's still not perfect. I prefer PayPal because a "not authorized" just reverses the transaction; there is no chargeback fee.
- Osiris (HN user)
IMO, there's more worth reading in that subthread. It's an interesting topic, at least to me. I feel sympathy for any merchant that has to go through this kind of pain.
I actually ran into an issue a little while ago in that I allowed my MaxMind account to run out of queries. Not realizing this, I saw a few days of higher than normal sales but just assumed it was a good day. When the first chargeback came through, I immediately noticed the problem, bought more credits, then began to go through each transaction one and a time and noticed a pattern in the email addresses (all two words followed by 3 numbers @hotmail.com) and individually refunded each and every one of them.
I still got chargebacks but I was able to dispute them by showing that the transaction had already been refunded.
My ideal credit card would be on where the physical card has e-paper on it with a 6-digit PIN that changes periodically, like 2-factor auth, and that PIN could be required for purchases to be authenticated. The new smart-chip cards don't help at all with online purchases, only point of sale.
On a side note, I found that nearly all of my fraudulent purchases came from Vietnam to the point that at one time I put in an IPTABLES rule to block the entire country.
Still many orders originating from Mexico seemed like they might be genuine, as the customers had filled in the questionnaire with their favorite animes etc. valid looking answers, so I didn't want to block the entire country.
My theory is that there really was some kind of media mention there, which resulted in some real orders but also some fraudster happened to hear about the service that way as well. it seemed possible that I had been mentioned in some local
Edit: more importantly I never even thought Inwoukd need to implement fraud detection - is there a primer on "things you never thought of when selling on line - from VATMOSS to Vampires"?
So if you sell something small, you'll be used to validate newly bought cards before they go off and buy $1000 of something else.
I can never work this out; it seems that scammers from different countries (or using hacked servers / proxies?) are attracted to different sites or types of ecommerce sites.
For example:
- One of my sites has huge fraud from Ukraine and Russia
- Another from Indonesia
- Another's problem country is Pakistan
I typically use https://siftscience.com to identify fraud, plus country-level blocks where it makes sense.
Damned shame that all the legitimate users from a given country get blocked thanks to the fraudsters!
I have to use it with most online shops here in Switzerland.
https://news.ycombinator.com/item?id=10235328
That redirect will kill conversion rates too, being redirected to a site you didn't expect claiming to be your bank but not matching its URL... of course it will freak some people out. Consider that some banks make the Verified By Visa password the customer's birthday (ie something easily researched) and you quickly realize it's a horrible system.
It works as follows:
- Merchant redirects me to his payment provider
- I enter my debit/credit card number into the payment provider screen
- I am redirected to my bank website, and am able to verify the URL (no iframes anymore!)
- My bank has two methods of verification: scanning a QR-code with the mobile banking app on my phone, or logging into the online banking website (with a Vasco DIGIPASS 836, which requires a debit card+pin to generate a OTP)
- I verify the amount and creditor in the mobile/online banking app, and sign the transaction with my mobile pin/digipass.
- I am redirected back to the merchant.
All in all, I think it costs me 30 seconds to complete the extra 3D-Secure steps when using my mobile banking app.
Using customers birthdate is indeed a very poor authentication mechanism, but even that is going to defeat the majority of fraudsters who are simply trying to bulk-authenticate a list of CC numbers. Personally, I don't give my real birthdate to any website unless they have a very good reason for knowing it.
My bank asks for three random characters from my online banking password (the same mechanism used to log in to my online banking) which provides enough security without risk of revealing the full password to key-loggers, etc.
But since the actual authentication mechanism is left up to the card issuer, there's nothing to prevent them using more advanced systems - like 2-factor authentication, hardware tokens, etc.
How can the bank know what any of the letters in your password are unless they are storing it insecurely?
It's not a good solution anyway. A phishing page could easily claim the entered password was wrong and ask for another one (starting at another offset). Most passwords are probably <= 9 characters, so you'd have the full password after 3 attempts.
Fishing attacks are difficult because the attacker would have to be able to determine which bank a card was issued by, and present the correct 3D secure interface specific to that issuer. Many issuers also add a customer-personalised image or message to the interface to further reassure customers of authenticity.
The only alternative I can think of is that they'd also create and store a hash of every possible three-letter combination based on your password which does not seem likely.
Our bank refunded it alright, though it took about a month, but the next week I received an SMS with a 3D Secure confirmation number for a similar payment, in HKD, with my own card (by the way, the only place we used both cards for payments was Taobao). I was able to call my bank which blocked the card and quickly issued me a new one. At least in this case it both saved us, our bank and some unknown online shop, time and money.
Also, I think the smart way to do 3D Secure is what capitainetrain.com does, they use it only for the first payment of a customer (and explain what's going to happen during the payment process) and all subsequent purchases don't go through it (since the customer has already been verified as being legitimate). It only works when you expect customers to come back regularly, though.
Everyone uses it now in the UK and you always get redirected to the exact same page. I expect it, it doesn't put me off buying.
So it's a bad objection to the system, because once everyone's using it, it becomes the norm. Yes, there will be a dip in conversions to begin with as consumers are scared by the new page, but it will recover. Some people's implementation sucks, but that's a different matter.
It's a complete flip of a coin whether the dodgy collection of forwards and cookies and iframes will go wrong somewhere, and such failures are always handled in the most user-hostile ways. I can completely understand why Amazon and so many other retailers just don't bother with it.
https://econsultancy.com/blog/3887-verified-by-visa-a-conver...
Visa's own documents now recommend only using Verified By Visa on transactions that look suspicious after running risk analysis, and cite that using it on all transactions was resulting in a 3 - 5% Abandonment rate in the UK.
"Higher conversion rates – following the implementation, abandonment dropped from over 4% to under 1%"
http://www.visaeurope.com/media/images/44933_visa_vbv_case_s...
Given how few sites actually implement it, it becomes a pain to use if you have to dig out the password or set it up on first use.
Good luck
The banks and companies like Visa/MasterCard in Turkey use something called 3D Secure [1], in which you are directed to your bank's 3D secure page and enter a code that is sent to you via SMS and your CVC number so they have 2-factor auth. Most of the merchants I used in Turkey supported 3D Secure but I don't know the situation with other countries.
Banks in Turkey still support the processing system that is currently used worldwide however some banks have an option where you can cancel all non-3D-Secure online transactions.
Also the chip-and-PIN standard was conceived in 1990s AFAIK so the smart-chip cards are not new at all, they are just not adopted in some countries like US.
[1]: https://en.wikipedia.org/wiki/3-D_Secure
You may be interested in the system I use with my bank in the Netherlands.
The old system worked like this: The bank gave me a device they called a "Random Reader". To make a payment, I had to insert my card into the device, enter my pin, enter a (random?) number that the payment site gave me, and enter the amount. It then gave me a number back that I had to give the website, which authenticated me.
These days I use a "Rabo Scanner", which works the same except instead of entering a code and the amount it has a camera on there that scans a kind of barcode on the screen that contains that information.
So it does use the smart-chip, and the (8-digit) pin changes every time you make a payment. You do have to take the device with you, but it isn't very big.
It's not my idea of fun to try look at these transactions manually, so until I get a motivation boost to go through with the integration it'll probably be PayPal-only.
I really like https://siftscience.com.
The important thing is to not over-think things; it's rarely that case that you truly, honestly, really need real-time automated fraud detection.
Start with implementing the absolute bare minimum. You'll then receive emails from e.g. Sift when a bad user is identified, and you can manually refund the transaction, cancel the order, and block the user.
So I cancelled VeriSign and the merchant account, and use paypal and Amazon Payments instead.
I did make the rounds of a few banks, all were eager to set me up with a new merchant account. All gave me blank stares when I asked if they had any means of preventing carding attacks or other frauds.
[1] A carding attack is when there's an attempt to buy something for $0.00, just to see if it is rejected or not. I was getting one every minute or so. I got charged for every one of those, and so soon had racked up a grand in charges.
I wonder if there might be an opportunity there? Or if the solutions have to be so custom that it'd be impossible to work out.
Mastercard and Amex have equivalent services, and these are all widely implemented by websites and card issuers in Europe and other countries.
I suppose they are not so widely deployed in the USA or Japan, but at the very least, you'd protect yourself against fraud involving cards issued in countries that do use it.
http://www.visaeurope.com/making-payments/verified-by-visa/
My bank asks for three random characters from my online banking password (the same mechanism used to log in to my online banking) which provides enough security without risk of revealing the full password to key-loggers.
That's terrifying, really. They shouldn't have any way of getting that data out of the hashed password.
A PIN can be required for "cardholder present" transactions in most of the world. Some combination of card issuer, transaction processor and merchant decide at what value transactions may proceed without a PIN — e.g. a train company's actual loss from a fraudulent ride is very small, so they might not want the delay of asking for a PIN on a ticket machine. Similarly for McDonalds. But if you're buying a TV, you will need to use a PIN.
It's almost 100% of transactions in much of Europe, over 80% in Africa and South America, lower in the old Soviet Union and Asia: https://www.emvco.com/about_emvco.aspx?id=202
Unless the customer is using contactless payment card?
Newer payment terminals can support device-based customer verification for contactless transactions, called CDCVM. The transaction limit doesn't apply if CDCVM is used. This is the mechanism used by Apple Pay, where you verify your identity using your fingerprint via Touch ID.
Could you start shipping biscuits or chocolate candy again, I am a bit disappointed with the stuff you currently include in your packages :-(
GoCardless (Direct Debit, EU only at the moment) is one company that doesn't charge a fee for chargebacks. They take on all the risk themselves.
It's almost like they want to charge you those fees!
http://www.eircode.ie/
Maybe you should set yourself up some email alerts when things seem 'off'. i.e. no referral, and the user/bot spends no time filling out the form and hitting submit. What's your glue code like?
I'm rootin' for ya. :-)
This fraud would have been easy to detect if there had been any kind of detection system in place. But I had no fraud checking, captcha or 3-D secure, as I hadn't expected there to such a "fraud wave".
Those payments didn't feel like necessarily coming from a bot, as there were time delays and for many purchases they even filled in the questionnaire. It felt more like someone had a pile of numbers they were entering manually.
My form made that easy to do, as I had tried to eliminate any field which wasn't absolutely necessary.
Definitely wouldn't discount that possibility. Unrelated to CC processing, but we used a service that gave us a device ID on signups to detect people signing up multiple times (a tipoff that fraud was likely to come).
We later found fraudsters were using Amazon's Mechanical Turk to get real people to register manually, thus getting around our device detection.
Also happy to answer any questions about general mitigation techniques.
Edit: Interestingly enough, www.smyte.com is fine, but smyte.com yields the 500 error.
What's the difference between you and Sift, and what advantages do you offer over them?
Edit: your T&Cs and privacy policy pages referring to a different site entirely don't exactly fill me with confidence :-/
>Happy to chat more about specific use cases over a medium that's better suited to it; mind shooting me an email?
Well, I could do that; I'm just not sure why you'd invite questions on a public forum and then quickly switch to email :-)
To be able to compile and sell these packs, the carders need to know which ones are valid. To do this, they will use an online store or service to place an order for the sole purpose of seeing if the charge goes through or not.
I remember we used to deal with a lot of this at Twilio, except the carders would then also try to cash out the credit card into Twilio credit. The pattern was try to spend $10 on a card, then one minute later try to spend $1000 once the first charge went through.
But it's a lot less costly than toll fraud, which I learned the hard way working on our auth system at https://charge.co.
If a bunch of people had bought these packs of stolen cards, wouldn't they be spreading out over a bunch of different sites?
This is also why fraud detection is a big industry, you basically need full time staff to analyze the current types of fraudulent transactions and update your filters as fast as the criminals update their systems.
Don't implement the payment processing code yourself. (And using Stripe is _still_ implementing it yourself - they supply only one part of the process.)
Writing this code will take time that you are not using to develop and market your product. (cf opportunity cost). Your code will be buggy. Your code will be weak. Your code will not support the various alternative payment options popular in, say, Holland. (Yes, this is a thing, and it is called iDEAL.) Your code will sooner or later be exposed to a campaign of fraudulent transactions.
Use FastSpring, or your alternative of choice. Yes, it costs more, if you don't put value on your weeks of time to create and support an alternative, and if are comfortable having a weak fraud detection, if any.
When your business becomes successful, when the fees to FastSpring start to dwarf the costs of implementing a payment system yourself, then - perhaps - consider re-doing it yourself.
There are indeed weaknesses in using FastSpring, which after seven years are becoming a pain for me. I'll be writing about that soon. But this is not an issue for a one-person endeavor getting started.
I was thinking of using recurly and this has put me off somewhat.
The thing you need to remember is that you do have options. If you choose a gateway with good fraud tools, or a gateway that integrates with them, we upstream that information to you. Traditionally Recurly has left fraud up to the gateway because they are much better at dealing with it, but we are now seeing the need to offer some more professional fraud tools by default at the Recurly level.
Feel free to email me if you want to have a discussion about it: ben@recurly.com
I'll keep trying to avoid using a creditcard as much as possible and use other payment methods when I can, both online and offline.
And yes, when implementing payments on a website, use a service that does all of the complex things for you, and never store sensitive data yourself.
But it does nothing for a business like Candy Japan which sells to a global audience. The advantage of credit cards is that they are one payment system that works pretty much everywhere, worldwide.
Also, you should realise that, as a customer, you typically don't have the same chargeback rights when using a banking service like iDEAL compared to what you get with a Credit card. This can be a big deal when, for example, a merchant goes bankrupt before delivering your purchase.
That's the reason they recommended to use a payment gateway that implements all those local payment solutions. For example, in Germany you loose a lot of customers if you don't offer direct debit (ELV) as many don't own a credit card (and don't want to).
> you typically don't have the same chargeback rights when using a banking service like iDEAL
This heavily depends on the service. For example, the upcoming German Paydirekt will offer better chargeback service than most German credit cards (where you typically don't enjoy the US-style "anything is reversible" type of protection).
Don't know about iDEAL, but I think that wouldn't work.
The thing: If you don't implement all of this yourself, you don't need to worry about the details. There are services that happily do this for you.
I can't imagine wanting to give out my bank details to allow direct debit of my account to every online retailer I do business with. Weird.
OTOH, my Chase experience was not nearly as smooth.
US consumer protection laws treat credit and debit cards differently. They favor credit cards. The gap between the two is up to the goodwill of your bank.
I prefer to rely on law than goodwill. I have never had a problem with getting a refund on a credit card charge I claimed was fraud.
I have no idea why people choose to use a debit card over a credit card here.
One reason it's so hard to unseat credit cards in the US is because most of the advantages of the alternatives are on the sellers side. The consumer doesn't seen any benefit from switching to Apple Pay or whatever. Most merchant agreements don't even let stores charge less for using non-credit card type payments (although some stores do anyway).
As a US citizen I use my credit cards constantly. It's an instant 1% discount on everything I buy (thanks to the cash back), and its fast and easy. I pay it off every month to avoid paying interest. There's basically no downside to me.
The story would be different if retailers were allowed to directly pass on the service fees however. I would definitely think twice if every time I used it I got surcharged $0.50.
That being said, direct payment gateways are common, but they require cooperation with banks. There's probably hundreds of them and only make sense on local market where you can have on or two implemented to satisfy 80%+ of customers (and others will just use regular card).
Cashiers in most common shops probably don't even know how to accept a payment by credit card, so the'll just refuse.
Meastro cards are usually protected by a PIN and require a POS system to be used. This was a problem for e-commerce, so the Dutch banks participated in iDEAL. It's basically a redirect from the merchants website to the bank site of the customer, where they use their own cardreader and debit card to validate the transaction before being redirected back to the site of the merchant.
I remember Maestro cards in Sweden as being for under-18's, and then when you become an adult you get a VISA/MasterCard debit card instead, but I don't know if that's true anymore.
That said, the cards themselves use exactly the same technology, look the same and debit cards are usually Maestro/Cirrus or Visa/Plus compatible so we can do debit transactions in europe.
The online version of debit however has yet to catch on.
1) CCs offer rewards (travel, cash back), usually in the range of 2% of purchases
2) CCs offer insurance and extended warranties on some purchases.
3) CCs help you build a good credit rating, which is important for someone who intends to apply for a mortgage at some point.
4) CC offer superior protection to debit cards. Yes, CC fraud may be easy, but as the card holder you will almost never be on the hook.
I've had my CC compromised, the bank detected it immediately and issued me a new one. Never was there any question who would bear the cost of the 5-figures that the fraudster spent. My brother had his debit card compromised once and the story was completely different. The bank wanted him to prove that the fraudulent transactions were not his and he had to go to great lengths to do so.
My personal preferred order of payment is:
CC
Cash
Debit (last resort)
However, I never do cash cause I never have cash on me. It's Credit for reward and then debit.
That said, I know a lot of people who don't do the rewards maximizing. Programmer/engineer crowd tends to self-select for people who are logical and number inclined.
This has been as simple as someone using a copy of my card to buy candy and video games, something I could have done but didn't in this case.
Really impressed with the services of my banks when it's come to debit fraud.
We probably have old misbehaving banks to thank for our relatively consumer friendly credit card laws. In countries where the banks weren't quite so abusive the laws could be much weaker and give Debit cards an advantage.
That's because merchants pay 3% or more for a creditcard payment, and something like 0.8% for a local bank card payment (with the online equivalent iDeal). On top of that, there is much more risk accepting the creditcard with chargebacks, while the banks guarantee normal/iDeal payments. So most merchants here really dislike creditcard payments, it "costs them" much more.
Of course I understand that this is not a solution for accepting payments internationally. What I say is that the whole creditcard payment system, as it currently works, should be replaced by something saner, something that looks more like iDeal.
The new regulations apply from 09 December 2015:
https://www.gov.uk/government/news/credit-and-debit-card-fee...
Last year it was VATMOSS on 1 January (when lots of people are on leave and lots of purchases are made due to stores running sales, especially online).
ONS retail sales per week in the UK are £9B in December vs. £7B in April or June (last 12 months figures, http://www.ons.gov.uk/ons/rel/rsi/retail-sales/index.html).
Check this response from paypal: PayPal told us that the “European Union’s regulation of Multilateral Interchange Fees (MIF) does not apply to PayPal as we are not an inter-bank card scheme and the fees PayPal charges businesses are not interchange fees”. http://tamebay.com/2015/03/new-eu-caps-on-credit-and-debit-c...
[1] https://www.abnamro.nl/nl/zakelijk/betalen/tarieven/sepa-bet...
As for ATMs, go find a 7/11 or a Post Office and those will work.
We do have both ideal type payments and credit card payments in Finland (I assume ideal is a direct bank payment to merchants account?)
I still personally always use credit card if possible as it gives the customer extra layer of security. For example in cases where you purchase something quite expensive let's say a holiday package if the company does not deliver the holiday, goes bankrupt etc you will get the money back with CC but NOT if you have paid directly via web bank payment form.
Same thing with online fraud, if you pay to fraudulent website it's going to be extremely hard to get your money back if you have paid it directly to scammers bank account.
- The vast majority (probably 95%+) of cards have rewards built in. Everything from miles to redeem on travel and accommodations to the most common being cash back credited against your account. These can range anywhere from 1% to 5% outside of special promotions where you typically get even more.
- They offer increased consumer protection in the form of warranties on items you buy in addition to the manufacturer's warranty.
- They offer increased consumer protection in the handling of charge backs, fraud prevention and being able to easily dispute charges (typically online).
- Of course if a card is stolen the number is invalidated and the physical card replaced - I don't know where you got the idea that this doesn't happen.
- None of this is at direct cost to the customer - assuming you pay off your statement balance prior to the due date, you are not charged interest and unless you have a card with an annual fee (most do not and if you have even decent credit it's trivial to upgrade to a card without one) all these features are free.
Then who do you think is paying for those rewards/cashbacks? Who is paying for the extra warranty? Who is paying for the costs of the chargebacks and the replacement of cards that get stolen by the millions?
The answer could be you, creditcard users who dont pay off in time, or people who use other payment methods. It certainly isn't the banks or the merchant who's paying all this.
Why would using FastSpring be safer than using Stripe?
Fraudulent chargebacks is bad, both economical and psychological. As an online seller it is part of life, but you want to keep it to a minimum, say < 1% of all transactions. I wholeheartedly support the sentiment of the OP, do not use Stripe nor do this in-house. Instead, use a payment provider with a proven fraud protection system, such as PayPal.
Even if you don't use us, we published some articles to help merchants new to dealing with fraud: * https://siftscience.com/sift-edu/fraud-basics * https://siftscience.com/sift-edu/prevent-fraud
But then the bad guys found it. And individual users started updating their card details dozens of times each day.
This went on for several days before I noticed it in the logs. It was easy enough to fix: users now get one update per year, unless they email me and ask what's wrong with that card update page. The bad guys moved on to greener pastures and life went back to normal.
At least then you don't get hit with chargebacks.
You can complete the transaction by sending a 'completion' request, at which point the credit is gone.
The preauth also has an expiry. If the preauth expires, the funds are released with no transaction taking place.
So when a user signs up, take a preauth. If you have any reporting on your sales, like this guy, you can check for any anomalies before fulfilling orders. Anything that looks odd, don't complete the order.
[1] https://articles.braintreepayments.com/guides/fraud-tools/ov...
Are they too expensive per purchase?
1) It's a pull instead of a push. Anybody with your CC details can attempt to charge it. Bitcoin model is much more sane.
2) There's not even a "approve the charge" option.
3) The cartels controlling the credit card systems charge insane amounts of money for transactions, attempted or real.
I really want Bitcoin or some other alternative to succeed.
Transaction fees for a failed credit card payment? Its more than insane.