Ask HN: How does Basecamp accept CCs without billing address?

7 points by YonghoShin ↗ HN
Example: https://signup.37signals.com/basecamp/Premium/signup/new?source=basecamphq.com

I thought the customer ALWAYS had to give a billing address on top of their Credit Card to prevent fraud charges.

How does Basecamp charge with no address?

9 comments

[ 10.5 ms ] story [ 48.8 ms ] thread
It's not necessary. In fact, at some point I hope to write up a larger piece on it.

The only two NECESSARY pieces of data are the CC number and the expiration date. ZIP code drops some of the risk, and, accordingly, drops a fraction off the percent you're charged by the processor.

On the web app we're about to launch, we only have the number and the expiration date. I'm hoping to get my act together to do some A/B tests, but we're going into it assuming that we'll do better with fewer fields to fill out.

I could be wrong, but I don't think the expiration date is necessary either. You have to send one to your gateway, but I don't think it's actually used for anything. You can keep charging cards that expired and have been reissued with the same number; I suspect if you send a valid card number with any future expiration date, it's going to work too.
Yep, if I recall correctly, expiration dates are just there to get people to get new cards for accounts because the magnetic strip on the plastic fades after a number of years.
AVS (Address Verification Service) only looks for matching street and zip in the first place. Since you're allowed to send only a street or zip, I assume that just verifying the zip as they're doing avoids paying a higher transaction fee for not doing AVS at all.

Collecting a billing address or not doesn't do much to stem fraud when you're not shipping anything physical. Unless you're going to have your customers sign and mail/fax written authorization, you're going to have a hard time disputing chargebacks regardless.

No card security code either? That's bound to nip you in the posterior at some point (happened to me, though with tangible goods).
It would be interesting to see some data on fraud rates in different industries.

It is easier to see the thief's risk/reward proposition when ordering a large screen TV with a stolen card than then signing up for a $50\month service. There as soon as you are discovered you loose access to the data that was the whole point anyway.

It's definitely not required, but it gives you a much better case if someone files a unauthorized chargeback. If you used AVS (Address Verification System) or the CVV number, you can in a sense prove that the person who made the purchase was the cardholder.

37Signals, and OrangeSlyce (my company) use Braintree which provides a VERY innovate solution called "Transparent Redirect". It allows you to accept credit cards directly on your site, with your domain, but the form posts directly to Braintree, and transparently redirects back to your site so the customer never leaves your domain. It's very cool stuff and I don't know of any other merchants that offer this.

Most importantly, the CC data never even enters your environment.