Ask HN: dealing with credit card fraud while selling physical products online?

16 points by sdrinf ↗ HN
Dear HN,

A contract of mine is close to launch, doing e-commerce, (partially) selling physical goods. Since I will also be supporting the codebase during the first couple of months, I'm seriously investigating the possibility of fraud, and dealing with it. We're using PayPal website payments pro.

Two humble questions for a safer Internet:

-What crash-curse would you recommend in proactively going against this problem? Articles, papers, or anything, really, that is not a commercial offering would be nice.

-In the case of fraud, how long does it take for PayPal to detect, and cancel a given fund from our account? That is, after what time shall we safely assume, that the money will be actually ours? (shipping will be immediate -but this will affect inventory management)

Specifically not asking for: paypal bashing, alternative credit card processors, adding obstacle courses to our customers.

Specifically looking for: stories with data, statistical breakdown for merchandise-driven industry's general fraud rate, and articles to read :)

10 comments

[ 0.61 ms ] story [ 36.8 ms ] thread
If you're selling physical goods make sure that the intended recipient and the shipping information they give you are one and the same entity.

This makes it harder to ship presents and stuff like that but when shipping goods the majority of the fraud is done by redirecting the goods to a 'drop' and then making off with the loot.

Make sure you use a delivery method that asks for a signature of the recipient, make 100% sure that they will honor your request to ID the recipient and to make sure that the names match.

Don't leave more balance in your paypal account than you need.

You can't really say how long it will take paypal to detect fraud, that's more up to you than up to them, if there is no fraud to detect you'll be fine, if people start using stolen paypal accounts and/or cards to order your stuff the ban hammer would come down without any warning whatsoever.

There is no hard knowledge out there what it takes for paypal to block your account but typical merchant account checks include < 1% of total charges, anything over that and you're suspect / liable to be axed.

I hope that helps.

Oh, and it's 'courses', not 'curses' (that goes for 'crash curse' too ;))

We're planning to use the shipping address returned from Paypal as-is (and not querying from our side), mostly for stripping the funnel to it's bare minimum -is that kosher?

Definitely signed-for. Other than Nigeria (which I'm quite keen on blacklisting, as a whole), any particular countries which we should be careful about?

> We're planning to use the shipping address returned from Paypal as-is (and not querying from our side), mostly for stripping the funnel to it's bare minimum -is that kosher?

Yes, it's kosher, but there are a number of checks you can't do like that (such as doing geo verification of the IP, email verification).

Those go a long way in screening out fraudulent charges.

Presumably paypal has already done a bunch of that, but if the shipping address paypal gives you does not match the geolocation of the IP and residential information of the account holder (not always the same as the shipping address!) within reason that would be a great reason not to ship.

> any particular countries which we should be careful about?

Yes, but that's going to make me a lot of enemies here ;)

Until you have the fraud angle worked out and have ways to monitor and predict risky transactions I would stick to the US initially, the roll out in Europe, one country at a time, after that Japan, and I'd leave it like that for a long time to come.

This is not because I do not like people from other countries (rather the opposite), but because combating fraud is a percentage game and one fraudulent transaction can eat up the profits of 10 or more good ones if you're in to physical goods (depending on your margin of course), as well as cause you to be banned, which is a risk not worth taking.

Kosher, but make sure you're extremely clear that you intend to do that before charging the card.

I, for instance, live 4,800 miles from the billing address that PayPal and my credit cards have on file for me. If you don't plan to ship things to where I'm actually at, I'd prefer to know about it before wasting my time on your site.

I'm somewhat out-of-date, but Russia, Romania, and Bulgaria used to be problematic (and might still be, for all I know).

There was a scam whereby some of the more enterprising crooks would buy goods using stolen CC credentials and have them shipped to a Bulgarian address ... but put "Germany" at the bottom instead of "Bulgaria"; the Bundespost being highly efficient would then spot the mistake and forward the package! So you might want to do city/country consistency checks.

Again, look out for PO boxes.

This is going back years, and probably doesn't affect you if you're only using Paypal verified addresses, but when handling credit cards one useful thing to do was velocity checking: if two consecutive purchases come in, check the physical addresses associated with each transaction and block the transactions if the card would have had to go supersonic to get between them. You might be able to do something similar if you can dereference IP blocks geographically (e.g. purchase #1 on card foo comes in from a net in France and purchase #2 on card foo comes in from a network in Paraguay five minutes later). You can do this lazily (i.e. only trigger the check when you've got the second request).

I have dealt with fraud prevention for non-physical goods both with PayPal and a merchant account. It's a small start-up, annual web orders of $1m, average purchase price of $16.50.

We were hit pretty hard with fraud (when we first started, Aug/Sept 09) but we now have it down around 0.5%.

I know you don't want a commercial offering but we had great success with maxmind (http://www.maxmind.com/app/ccfd_features) it costs about $0.015 per order.

Here is how we did it... We tested every order through maxmind and using the fraud score we divided them in to three groups, low, medium and high risk.

* Low risk orders were fulfilled as normal. * Medium risk orders had to do an automated telephone verification (we used twillo for the calls, we mapped distances from area code to billing address and rejected voip numbers). * High risk orders required one of our support staff to call and confirm the order.

Recommended reading: http://www.detectmalice.com/

However, I don't think stolen cards will be your main issue. Unless you have tracking numbers for all your shipped orders people are going to open claims with PayPal. PayPal always favor buyer and you will find people abusing the system. Be prepared for a lot of "Not as Described" claims because the item didn't match the users expectations. This isn't a one off, this happens often.

Maxmind's offering was already within our radar, but your datapoint pretty much nailed that investment.

Re: "Not as Described" -Given that our shipping solution offers package tracking with numbers, and signed-for options, AND the user will be clearly presented with an image, and a video of the goods; AND after first abuse, I will explain these things to paypal's customer rep, will their abuse still be considered legit?

Also, what if the item in question is only part of a service, and neither can work without the other? Will that change the claim-percentage at all?

Re: "Not as Described" - You will still get those customers that have buyers remorse or just simply don't want to be charged for the item they received. You will find the customer service reps that make the decision on these cases spend a few minutes on each. Unless you have an awesome case the buyer will win.

The fact that this item is part of a service should hugely reduce fraud.

In all honesty you should be fine. I would start out with some pretty solid rules; only ship to the US, Canada & Western Europe, only ship to paypal verified addresses and IP location should match the billing address (< 150 miles). Once you find your feet I'd start relaxing these rules and plug any holes in the system if they appear.

If a paypal dispute arises, call the customer.

Already some good advice here, so I'll just add a couple we used to use at a place I worked at that sold physical goods (of the kind that prove surprisingly popular to fraudsters).

- I don't think Paypal offers address verification other than under 'verified' accounts but it might be worth asking depending on which service you are using.

- We used to flag deliveries to "Suite XXX", "Apartment XXa" etc for further investigation as in the UK these types of address are usually no more than PO box services. Find out what kind of address the common mailbox services offer and if it's fairly uncommon, do something similar.

- Sounds a bit obvious, but large initial orders can also be a red flag. A first time visitor ordering £1100 worth of stuff is going to warrant more attention than a long-time customer.

- Wherever possible try to indentify frauds yourselves. Payment providers will just transfer the cost to you and law enforcment, in my experience, couldn't care less (we were actually told they have an unofficial policy of non-investigation for < £10,000). Basically, as I'm sure you understand, if you get burned - you've lost it for good.

Step 1 assess the level of fraud for the given type of product your selling. I ran and ecommerce site that sold over 100 Million dollars with of product in its lifetime and had only 1 case of credit card fraud. If you still think its a problem check out verified by visa. I know your using Paypal but you might get some pointers there.