RE: [registrars] Credit Card Update

[dwascher@iaregistry.com]

So far we have found CC that are foreign issued to be the problem 98% of the
time. If you are willing to have a higher fee per transaction for all
transactions then don't worry about the codes. On a $2 profit a .75 cent fee
is worth passing the CVV2 or the CID codes back. If you except a payment
when they don't match and there is charge back you will get hit with a 2nd
higher fee. Another point is that most foreign cards have 2 limits - local
purchases and foreign purchases. Several time we will max a foreign card and
they claim that they still have money available. Once we get them to call
the bank they find out the limit on foreign purchases.

Another piece that we do is when we identify a possible risk we email them a
CC authorization form to fax back in to us. A normal fraud will not return
it so we delete the name within the 5 days.

David

**-----Original Message-----
**From: owner-registrars@dnso.org [mailto:owner-registrars@dnso.org]On
**Behalf Of Donny Simonton
**Sent: Thursday, September 26, 2002 1:55 PM
**To: 'Elliot Noss'; 'Paul Goldstone'
**Cc: registrars@dnso.org
**Subject: RE: [registrars] Credit Card Update
**
**
**It may be mandatory on a credit card, but that doesn't mean that the
**processor will tell you if it's valid or not.  Like I mentioned we have
**an employee who got his PayPal credit card last week, and his CVV2
**number comes back as not supported.  We have tried this through two
**different processors, Nova and Vital.
**
**So you must come up with additional business rules for credit cards of
**this nature.  Or you can just ban them and send me their business.  :)
**
**Donny
**
**> -----Original Message-----
**> From: Elliot Noss [mailto:enoss@tucows.com]
**> Sent: Thursday, September 26, 2002 12:47 PM
**> To: Paul Goldstone; Donny Simonton
**> Cc: registrars@dnso.org
**> Subject: RE: [registrars] Credit Card Update
**>
**> AFAIK CVV2 is mandatory internationally as well since May of this
**year.
**>
**> Elliot Noss
**> Tucows inc.
**> 416-538-5494
**>
**> > -----Original Message-----
**> > From: owner-registrars@dnso.org [mailto:owner-registrars@dnso.org]On
**> > Behalf Of Paul Goldstone
**> > Sent: Thursday, September 26, 2002 1:19 PM
**> > To: Donny Simonton
**> > Cc: 'Michael D. Palage'; registrars@dnso.org
**> > Subject: RE: [registrars] Credit Card Update
**> >
**> >
**> > Donny,
**> >
**> > That's pretty important information we weren't informed of when
**signing
**> up
**> > for CVV2.  Until a better method comes along, I guess unconfirmed
**> > CVV2 codes
**> > will have to go into manual processing and telephone confirmation.
**> >
**> > AVS is another issue, especially when the majority of credit card
**> > frauds we
**> > deal with are with cards issued by US banks, regardless of where the
**> > registrant is from.  To Rick's point, IP and Email address seem to
**be
**> the
**> > best fields to monitor.
**> >
**> > As mentioned earlier, the registry should at least consider
**refunding
**> all
**> > years but the first year on these fraudulent transactions.  I
**understand
**> > that there may be concerns about using that fairly but we've all
**been
**> > through extensive background checks and we're all in the family
**circle
**> of
**> > trust ;)
**> >
**> > How would something like that be put into effect?
**> >
**> > ~Paul
**> >
**> >
**> > At 11:53 AM 9/26/2002 -0500, Donny Simonton wrote:
**> > >One thing you must remember is that not all credit cards will
**return a
**> > >Y/N on CVV2.  Sometimes they will return a not supported by the
**credit
**> > >card company.  This is where your problem will come in.  For
**example
**> > >almost all of the foreign credit card companies return a not
**supported
**> > >on CVV2.  But some US credit cards also return a not supported,
**like
**> > >PayPal's credit card, which is through First USA/Bank One.  But a
**First
**> > >USA/Bank One credit card will return a valid CVV2 number.
**> > >
**> > >So you can't ban everybody or anybody who returns a not supported
**on
**> > >CVV2.
**> > >
**> > >This also goes for AVS, since AVS only works for credit cards
**issued in
**> > >the US.  Visa does have something called IAVS, but good luck
**finding
**> > >somebody who offers it.
**> > >
**> > >So AVS and CVV2 can help you some, but by no means will it stop
**credit
**> > >card fraud.
**> > >
**> > >Donny
**> > >
**> > > > -----Original Message-----
**> > > > From: owner-registrars@dnso.org
**[mailto:owner-registrars@dnso.org]
**> On
**> > > > Behalf Of Paul Goldstone
**> > > > Sent: Thursday, September 26, 2002 11:03 AM
**> > > > To: Michael D. Palage
**> > > > Cc: registrars@dnso.org
**> > > > Subject: Re: [registrars] Credit Card Update
**> > > >
**> > > > Michael,
**> > > >
**> > > > While reporting stolen card numbers to the CC companies and law
**> > > > enforcement
**> > > > agencies would certainly be an honorable thing to do (for the
**sake
**> of
**> > >the
**> > > > actual cardholders), I'm not sure if it would deter the people
**we're
**> > >all
**> > > > dealing with.
**> > > >
**> > > > Although the Email address often remains the same, the credit
**card
**> > >number
**> > > > rarely does.  In fact, many fraudulent regs are proceeded by
**several
**> > > > attempts with several credit cards (another sign we could
**probably
**> > >look
**> > > > for)
**> > > >
**> > > > We're about to implement the 4 digit code from the back of
**cards,
**> and
**> > > > based
**> > > > on other responses on this board so far, it sounds like that'll
**make
**> a
**> > > > huge
**> > > > difference.  Thanks to everyone for their input!
**> > > >
**> > > > ~Paul
**> > > >
**> > > > At 09:20 AM 9/26/2002 -0400, Michael D. Palage wrote:
**> > > > >I am glad that we are having a more open dialog with regard to
**> credit
**> > > > card
**> > > > >fraud. I think this is another positive sign of the maturity of
**our
**> > > > >industry. I am trying to line up a credit card industry expert
**to
**> > >speak
**> > > > with
**> > > > >us in China. It appears that we may have the funds for a
**telephone
**> > >bridge
**> > > > >there as well :-)
**> > > > >
**> > > > >As I mentioned yesterday, I foresaw potential pitfalls in
**setting
**> up
**> > >a
**> > > > >database of alleged fraudulent cards. Navigating this minefield
**in
**> > >the
**> > > > >United States begins with the Fair Credit Reporting Act, 15 USC
**> 1681
**> > >et
**> > > > seq.
**> > > > >to determine whether this would be a covered activity. If any
**other
**> > >non-
**> > > > US
**> > > > >registrars could point out similar statutory provisions I would
**> > >greatly
**> > > > >appreciate it. In the short term, I believe that a more prudent
**> > >course of
**> > > > >action would be reporting these potential fraudulent actions to
**the
**> > > > credit
**> > > > >card companies and the appropriate law enforcement agencies.
**> > > > >
**> > > > >Best regards,
**> > > > >
**> > > > >Michael D. Palage
**> > > >
**> > > >
**> >
**> >
**>
**
**
**