RE: [registrars] Credit Card Update

["Rob Hall" <rob@momentous.com>]

The easiest way I can think of, is for the Registry to simply refund any
unused years when a domain is deleted.

Additionally, as a safeguard, the Registry could be given the right to ask
for documentation from the Registrar if there was ever an issue (much like
the losing registrar can do with transfers).

Rob.

-----Original Message-----
From: owner-registrars@dnso.org [mailto:owner-registrars@dnso.org]On
Behalf Of Paul Goldstone
Sent: Thursday, September 26, 2002 1:19 PM
To: Donny Simonton
Cc: 'Michael D. Palage'; registrars@dnso.org
Subject: RE: [registrars] Credit Card Update


Donny,

That's pretty important information we weren't informed of when signing up
for CVV2.  Until a better method comes along, I guess unconfirmed CVV2 codes
will have to go into manual processing and telephone confirmation.

AVS is another issue, especially when the majority of credit card frauds we
deal with are with cards issued by US banks, regardless of where the
registrant is from.  To Rick's point, IP and Email address seem to be the
best fields to monitor.

As mentioned earlier, the registry should at least consider refunding all
years but the first year on these fraudulent transactions.  I understand
that there may be concerns about using that fairly but we've all been
through extensive background checks and we're all in the family circle of
trust ;)

How would something like that be put into effect?

~Paul


At 11:53 AM 9/26/2002 -0500, Donny Simonton wrote:
>One thing you must remember is that not all credit cards will return a
>Y/N on CVV2.  Sometimes they will return a not supported by the credit
>card company.  This is where your problem will come in.  For example
>almost all of the foreign credit card companies return a not supported
>on CVV2.  But some US credit cards also return a not supported, like
>PayPal's credit card, which is through First USA/Bank One.  But a First
>USA/Bank One credit card will return a valid CVV2 number.
>
>So you can't ban everybody or anybody who returns a not supported on
>CVV2.
>
>This also goes for AVS, since AVS only works for credit cards issued in
>the US.  Visa does have something called IAVS, but good luck finding
>somebody who offers it.
>
>So AVS and CVV2 can help you some, but by no means will it stop credit
>card fraud.
>
>Donny
>
> > -----Original Message-----
> > From: owner-registrars@dnso.org [mailto:owner-registrars@dnso.org] On
> > Behalf Of Paul Goldstone
> > Sent: Thursday, September 26, 2002 11:03 AM
> > To: Michael D. Palage
> > Cc: registrars@dnso.org
> > Subject: Re: [registrars] Credit Card Update
> >
> > Michael,
> >
> > While reporting stolen card numbers to the CC companies and law
> > enforcement
> > agencies would certainly be an honorable thing to do (for the sake of
>the
> > actual cardholders), I'm not sure if it would deter the people we're
>all
> > dealing with.
> >
> > Although the Email address often remains the same, the credit card
>number
> > rarely does.  In fact, many fraudulent regs are proceeded by several
> > attempts with several credit cards (another sign we could probably
>look
> > for)
> >
> > We're about to implement the 4 digit code from the back of cards, and
> > based
> > on other responses on this board so far, it sounds like that'll make a
> > huge
> > difference.  Thanks to everyone for their input!
> >
> > ~Paul
> >
> > At 09:20 AM 9/26/2002 -0400, Michael D. Palage wrote:
> > >I am glad that we are having a more open dialog with regard to credit
> > card
> > >fraud. I think this is another positive sign of the maturity of our
> > >industry. I am trying to line up a credit card industry expert to
>speak
> > with
> > >us in China. It appears that we may have the funds for a telephone
>bridge
> > >there as well :-)
> > >
> > >As I mentioned yesterday, I foresaw potential pitfalls in setting up
>a
> > >database of alleged fraudulent cards. Navigating this minefield in
>the
> > >United States begins with the Fair Credit Reporting Act, 15 USC 1681
>et
> > seq.
> > >to determine whether this would be a covered activity. If any other
>non-
> > US
> > >registrars could point out similar statutory provisions I would
>greatly
> > >appreciate it. In the short term, I believe that a more prudent
>course of
> > >action would be reporting these potential fraudulent actions to the
> > credit
> > >card companies and the appropriate law enforcement agencies.
> > >
> > >Best regards,
> > >
> > >Michael D. Palage
> >
> >