RE: [registrars] Credit Card Update

["Elliot Noss" <enoss@tucows.com>]

AFAIK CVV2 is mandatory internationally as well since May of this year.

Elliot Noss
Tucows inc.
416-538-5494

> -----Original Message-----
> From: owner-registrars@dnso.org [mailto:owner-registrars@dnso.org]On
> Behalf Of Paul Goldstone
> Sent: Thursday, September 26, 2002 1:19 PM
> To: Donny Simonton
> Cc: 'Michael D. Palage'; registrars@dnso.org
> Subject: RE: [registrars] Credit Card Update
>
>
> Donny,
>
> That's pretty important information we weren't informed of when signing up
> for CVV2.  Until a better method comes along, I guess unconfirmed
> CVV2 codes
> will have to go into manual processing and telephone confirmation.
>
> AVS is another issue, especially when the majority of credit card
> frauds we
> deal with are with cards issued by US banks, regardless of where the
> registrant is from.  To Rick's point, IP and Email address seem to be the
> best fields to monitor.
>
> As mentioned earlier, the registry should at least consider refunding all
> years but the first year on these fraudulent transactions.  I understand
> that there may be concerns about using that fairly but we've all been
> through extensive background checks and we're all in the family circle of
> trust ;)
>
> How would something like that be put into effect?
>
> ~Paul
>
>
> At 11:53 AM 9/26/2002 -0500, Donny Simonton wrote:
> >One thing you must remember is that not all credit cards will return a
> >Y/N on CVV2.  Sometimes they will return a not supported by the credit
> >card company.  This is where your problem will come in.  For example
> >almost all of the foreign credit card companies return a not supported
> >on CVV2.  But some US credit cards also return a not supported, like
> >PayPal's credit card, which is through First USA/Bank One.  But a First
> >USA/Bank One credit card will return a valid CVV2 number.
> >
> >So you can't ban everybody or anybody who returns a not supported on
> >CVV2.
> >
> >This also goes for AVS, since AVS only works for credit cards issued in
> >the US.  Visa does have something called IAVS, but good luck finding
> >somebody who offers it.
> >
> >So AVS and CVV2 can help you some, but by no means will it stop credit
> >card fraud.
> >
> >Donny
> >
> > > -----Original Message-----
> > > From: owner-registrars@dnso.org [mailto:owner-registrars@dnso.org] On
> > > Behalf Of Paul Goldstone
> > > Sent: Thursday, September 26, 2002 11:03 AM
> > > To: Michael D. Palage
> > > Cc: registrars@dnso.org
> > > Subject: Re: [registrars] Credit Card Update
> > >
> > > Michael,
> > >
> > > While reporting stolen card numbers to the CC companies and law
> > > enforcement
> > > agencies would certainly be an honorable thing to do (for the sake of
> >the
> > > actual cardholders), I'm not sure if it would deter the people we're
> >all
> > > dealing with.
> > >
> > > Although the Email address often remains the same, the credit card
> >number
> > > rarely does.  In fact, many fraudulent regs are proceeded by several
> > > attempts with several credit cards (another sign we could probably
> >look
> > > for)
> > >
> > > We're about to implement the 4 digit code from the back of cards, and
> > > based
> > > on other responses on this board so far, it sounds like that'll make a
> > > huge
> > > difference.  Thanks to everyone for their input!
> > >
> > > ~Paul
> > >
> > > At 09:20 AM 9/26/2002 -0400, Michael D. Palage wrote:
> > > >I am glad that we are having a more open dialog with regard to credit
> > > card
> > > >fraud. I think this is another positive sign of the maturity of our
> > > >industry. I am trying to line up a credit card industry expert to
> >speak
> > > with
> > > >us in China. It appears that we may have the funds for a telephone
> >bridge
> > > >there as well :-)
> > > >
> > > >As I mentioned yesterday, I foresaw potential pitfalls in setting up
> >a
> > > >database of alleged fraudulent cards. Navigating this minefield in
> >the
> > > >United States begins with the Fair Credit Reporting Act, 15 USC 1681
> >et
> > > seq.
> > > >to determine whether this would be a covered activity. If any other
> >non-
> > > US
> > > >registrars could point out similar statutory provisions I would
> >greatly
> > > >appreciate it. In the short term, I believe that a more prudent
> >course of
> > > >action would be reporting these potential fraudulent actions to the
> > > credit
> > > >card companies and the appropriate law enforcement agencies.
> > > >
> > > >Best regards,
> > > >
> > > >Michael D. Palage
> > >
> > >
>
>