RE: [registrars] Credit Card Update

["Donny Simonton" <donny@intercosmos.com>]

It may be mandatory on a credit card, but that doesn't mean that the
processor will tell you if it's valid or not.  Like I mentioned we have
an employee who got his PayPal credit card last week, and his CVV2
number comes back as not supported.  We have tried this through two
different processors, Nova and Vital.

So you must come up with additional business rules for credit cards of
this nature.  Or you can just ban them and send me their business.  :)

Donny

> -----Original Message-----
> From: Elliot Noss [mailto:enoss@tucows.com]
> Sent: Thursday, September 26, 2002 12:47 PM
> To: Paul Goldstone; Donny Simonton
> Cc: registrars@dnso.org
> Subject: RE: [registrars] Credit Card Update
> 
> AFAIK CVV2 is mandatory internationally as well since May of this
year.
> 
> Elliot Noss
> Tucows inc.
> 416-538-5494
> 
> > -----Original Message-----
> > From: owner-registrars@dnso.org [mailto:owner-registrars@dnso.org]On
> > Behalf Of Paul Goldstone
> > Sent: Thursday, September 26, 2002 1:19 PM
> > To: Donny Simonton
> > Cc: 'Michael D. Palage'; registrars@dnso.org
> > Subject: RE: [registrars] Credit Card Update
> >
> >
> > Donny,
> >
> > That's pretty important information we weren't informed of when
signing
> up
> > for CVV2.  Until a better method comes along, I guess unconfirmed
> > CVV2 codes
> > will have to go into manual processing and telephone confirmation.
> >
> > AVS is another issue, especially when the majority of credit card
> > frauds we
> > deal with are with cards issued by US banks, regardless of where the
> > registrant is from.  To Rick's point, IP and Email address seem to
be
> the
> > best fields to monitor.
> >
> > As mentioned earlier, the registry should at least consider
refunding
> all
> > years but the first year on these fraudulent transactions.  I
understand
> > that there may be concerns about using that fairly but we've all
been
> > through extensive background checks and we're all in the family
circle
> of
> > trust ;)
> >
> > How would something like that be put into effect?
> >
> > ~Paul
> >
> >
> > At 11:53 AM 9/26/2002 -0500, Donny Simonton wrote:
> > >One thing you must remember is that not all credit cards will
return a
> > >Y/N on CVV2.  Sometimes they will return a not supported by the
credit
> > >card company.  This is where your problem will come in.  For
example
> > >almost all of the foreign credit card companies return a not
supported
> > >on CVV2.  But some US credit cards also return a not supported,
like
> > >PayPal's credit card, which is through First USA/Bank One.  But a
First
> > >USA/Bank One credit card will return a valid CVV2 number.
> > >
> > >So you can't ban everybody or anybody who returns a not supported
on
> > >CVV2.
> > >
> > >This also goes for AVS, since AVS only works for credit cards
issued in
> > >the US.  Visa does have something called IAVS, but good luck
finding
> > >somebody who offers it.
> > >
> > >So AVS and CVV2 can help you some, but by no means will it stop
credit
> > >card fraud.
> > >
> > >Donny
> > >
> > > > -----Original Message-----
> > > > From: owner-registrars@dnso.org
[mailto:owner-registrars@dnso.org]
> On
> > > > Behalf Of Paul Goldstone
> > > > Sent: Thursday, September 26, 2002 11:03 AM
> > > > To: Michael D. Palage
> > > > Cc: registrars@dnso.org
> > > > Subject: Re: [registrars] Credit Card Update
> > > >
> > > > Michael,
> > > >
> > > > While reporting stolen card numbers to the CC companies and law
> > > > enforcement
> > > > agencies would certainly be an honorable thing to do (for the
sake
> of
> > >the
> > > > actual cardholders), I'm not sure if it would deter the people
we're
> > >all
> > > > dealing with.
> > > >
> > > > Although the Email address often remains the same, the credit
card
> > >number
> > > > rarely does.  In fact, many fraudulent regs are proceeded by
several
> > > > attempts with several credit cards (another sign we could
probably
> > >look
> > > > for)
> > > >
> > > > We're about to implement the 4 digit code from the back of
cards,
> and
> > > > based
> > > > on other responses on this board so far, it sounds like that'll
make
> a
> > > > huge
> > > > difference.  Thanks to everyone for their input!
> > > >
> > > > ~Paul
> > > >
> > > > At 09:20 AM 9/26/2002 -0400, Michael D. Palage wrote:
> > > > >I am glad that we are having a more open dialog with regard to
> credit
> > > > card
> > > > >fraud. I think this is another positive sign of the maturity of
our
> > > > >industry. I am trying to line up a credit card industry expert
to
> > >speak
> > > > with
> > > > >us in China. It appears that we may have the funds for a
telephone
> > >bridge
> > > > >there as well :-)
> > > > >
> > > > >As I mentioned yesterday, I foresaw potential pitfalls in
setting
> up
> > >a
> > > > >database of alleged fraudulent cards. Navigating this minefield
in
> > >the
> > > > >United States begins with the Fair Credit Reporting Act, 15 USC
> 1681
> > >et
> > > > seq.
> > > > >to determine whether this would be a covered activity. If any
other
> > >non-
> > > > US
> > > > >registrars could point out similar statutory provisions I would
> > >greatly
> > > > >appreciate it. In the short term, I believe that a more prudent
> > >course of
> > > > >action would be reporting these potential fraudulent actions to
the
> > > > credit
> > > > >card companies and the appropriate law enforcement agencies.
> > > > >
> > > > >Best regards,
> > > > >
> > > > >Michael D. Palage
> > > >
> > > >
> >
> >
>