Re: [registrars] DECENT SIZE ISSUE: Credit Card Proposal - SUMMARY

[Doktor Gurson <dgurson@inexpensivedomains.com>]

Hello All,

I am new to the list, so I apologize in advance if this idea has already 
been discussed.

This is not a solution to the overall problem and I don't believe receiving 
a credit from the Registry will solve all our problems either. The truth of 
the matter is even if we were to get a credit from the Registry, we will 
still get hit with a charge back fee. Registrar's can significantly reduce 
the amount of fraud by simply implementing some precautionary measures. 
Here are some ideas I would like to share that have worked well for us.

1) Use AVS to ensure the billing contact information matches what is on 
file with the bank. Once you have verified the address you can then get a 
geo-location based on the IP address of the system being used to submit the 
order and compare the two. So, if someone is in   India, trying to use the 
credit card of someone based in the US, it will be rejected. After we 
implemented this strategy our fraud level dropped substantially.

2)Don't give fraudsters the opportunity to try credit cards until one 
finally works. If the client uses 10 different credit cards which are being 
declined then that order should be flagged for review or denied.

3)Keep a local DB of e-mails, credit cards numbers, and IP addresses of 
fraud that can then be used to spot fraudulent transactions in the future. 
We have found it best to pend the transaction then void it out, otherwise 
they will keep trying things.

These are strategies that have worked for us, so I wanted to share these 
ideas with you all.


Regards,
Doktor Gurson


At 09:48 PM 2/24/2003, Tim Ruiz wrote:
>Bhavin,
>
>What I was trying to point out is that we can't have our cake and eat it
>too. If the registries provide a refund option then I believe registrars
>will be expected to delete any name that payment is charged back for. Your
>suggestion that it be the registrar's choice is having our cake and eating
>it too. I don't think we'll get away with that for long.
>
>In fact, if we discover fraud on day 70 I think there may be those who will
>expect those domains to be deleted as well. I think we need to have some
>foresight about the result of what we are asking, and be willing to accept
>consequences.
>
>Also, I don't think the registries can help us "combat fraud." What we are
>asking them to do is to assume some of the risk of fraud while relying on
>us to combat it. Trying to see their side of it, I could understand their
>hesitation since a refund policy could easily be abused and possibly result
>in some registrars being less vigilant.
>
>Don't get me wrong, I am on board with the general idea here. I think the
>best course of action at this point would be to prepare a letter detailing
>our concerns, and perhaps include some of the ideas we have had thus far,
>and ask VeriSign (and perhaps the other gTLD registries) for a meeting to
>discuss the issue.
>
>Tim
>
>  -------- Original Message --------
>    Subject: [registrars] DECENT SIZE ISSUE: Credit Card Proposal - SUMMARY
>    From: "Bhavin Turakhia" <bhavin.t@directi.com>
>    Date: Mon, February 24, 2003 9:53 pm
>    To: "'Registrar Constituency'" <registrars@dnso.org>
>
>
>    There have already been 48 + 27 posts on this topic in the past week
>    (previously under the post Canceling renewals and then under Credit
>    Card Proposal). I mention this for CHUCK's benefit :) - indeed this
>    issue is significant and should be treated so by the Registry :). Here
>    are what I believe the final summary points
>
>    * Registrars are in consensus that fraud exists, and currently the
>    Registrars are bearing full brunt of the same
>
>    * Registrars are in consensus, that Registry should assist us to a
>    certain feasible and practical extent to combat this fraud
>
>    * Registrars with a large number of resellers agree that this is a
>    problem that is faced by their entire Reseller chain too. (I know many
>    of our resellers who primarily stopped accepting credit card payments
>    for this very reason. Infact we have a Credit Car payment gateway
>    option built into our API for resellers unlike tucows. I know many
>    resellers who turned this option off after facing significant fraud
>    losses due to a SINGLE transaction). In that sense actually
>    experiences of registrars who are small, as well as registrars who
>    have a large number of
>    resellers may shed more light on the subject. Especially
>    registrars/resellers whose selling price allows an extremely low
>    margin
>
>    POSSIBLE SOLUTIONS I
>    ====================
>    Michael suggested that the Registry refund ALL BUT ONE domain year on
>    deletion. This was infact suggested by me as a solution long ago too,
>    however I have since changed that from a while because of the fraud
>    patterns that I have been through since a long tie now. Lets look at
>    the issues with this solution -
>
>    * Firstly and most importantly it does not help in fraud transactions
>    which consist of MANY ONE YEAR Registrations together. From data
>    accumulated in the past 4 months, almost 65% of fraudulent
>    transactions are of this type. I need a bigger data set to get more
>    accurate
>    statistics. There is a reason for this however. Typically the people
>    who are transacting fraudulently for domain names (and I can guarantee
>    tha most of these fraudsters are from indonesia ;) ) are doing so NOT
>    to buy a domain name, but to verify a card and see if it works. A
>    domain name is a very easy and tiny amount transaction that can be
>    performed which gives immediate results of verification. If someone
>    obtains a fraudulent card on the itnernet, the easiest way to check it
>    is to go to a low cost registrar and register a domain name. Its
>    instant verification for them. This is why most of these kinds of
>    fraudsters will register many 1 year domain names with many different
>    card to check them out.
>
>    * Secondly, if this were an appropriate solution, the Registry really
>    has to do nothing. The registrar can simply register the name for a
>    single year and explain to the customer that the balance yewars will
>    be added to the account after a credit check is performed within 60
>    days. Though this solution was suggested by chuck, and while I
>    personally feel it is not the right approach, because every registrar
>    will make a
>    different implementation out of it thus confusing the customer.
>    However Chuck claims that if this proposal is put forward, the
>    Registry will come back saying this is handelable at the Registrar
>    side
>
>
>    POSSIBLE SOLUTIONS II
>    =====================
>    I suggested that if the domain name is deleted within 60 days a FULL
>    REFUND ought to be made, alongwith charging a fixed fee for the
>    deletion. Many people have mixed up this solution of mine with their
>    own aspects, thus confusing the entire issue here. So I am specifying
>    what my solution exactly entails and why
>
>    * Firstly the 60 day figure was not chosen arbitrarily. As of today a
>    transfer of a domain name is not allowed within 60 days. 60 days are
>    typically enuf tyo do a credit check, and 950%+ of chargebacks occur
>    within 60 days. 5 days (which is the current period) is in most cases
>    not even enough to CALL A CUSTOMER up if required.
>
>    * Secondly the amount was chosen with care too. If the domain name is
>    deleted within 30 days (after 5 days) the registry should charge a fee
>    of $1, and if deleted within 60 days it should charge a fee of $2.
>    Anything more than this would be inappropriate as this fee has been
>    calculated as TWICE the normal pro-rata fee that that period should
>    apply. Michael came up with an alternative figure of $3, where he
>    states that $2 should be given as an extra fee to verisign for a
>    manual process of deletion. Michael what you need to understand here
>    is we are not asking verisign to change anything or do anything extra.
>    By changing the deletion grace period logic from 5 to 60 days, there
>    is NO RECURRING EXTRA WORK BURDEN on Verisign after it is implemented.
>    Therefore a fee of TWICE THE standard PRO-RATA value more than covers
>    their cost. After all I doubt verisign intends to make profits on
>    registrar chargebacks. At this fee they are already making twice the
>    standard amount on the DNS entry in the registry.
>
>    * Thirdly, Tim stated, that a policy like this would then require a
>    registrar to delete a name. I do not know where this stems up from. My
>    concept is quite simple actually. I am simply extending the deletion
>    grace period to the same period as the registry has put for the ADD
>    TRANSFER BLOCK. If a Registrar deletes a name between this time he
>    gets a refund less the one-off charge. If the registrar DOES NOT
>    delete the name, he gets to keep it and do whatever he chooses to.
>
>
>    Basically to me, SOLUTION II seems more feasible, because it allows us
>    to prevent 95% of the fraud at a low cost to us and practical/feasible
>    for the Registry.
>
>    Best Regards
>    Bhavin Turakhia
>    Founder, CEO & Chairman
>    Directi
>    ----------------------------
>    Tel: 91-22-26370256 (4 lines)
>    Fax: 91-22-26370255
>    http://www.directi.com
>    ----------------------------