Hi all, I'm new to this forum but have been trading online for a number of years. We sell intangibles - software and software-related services. Recently due to the release of a new product, we've been receiving numerous very suspicious orders that have been paid by paypal. We perform a number of manual checks before accepting such orders, and if we are not satisfied we simply email them saying the order has been declined because it failed our security checks, and process an immediate refund of the PayPal payment. Often we'll hear nothing back, but several times they have emailed asking what was wrong with the order. Obviously we really don't want to tell them as that will let them know what checks we do, and usually we really don't want to do business with these people anyway, so don't want them to try placing the order again. I understand that if the order was genuine the person would really want to know what the problem was, but we would rather lose a sale than risk a fraudulent sale, partly because of the nature of the product.

My question is, how do you inform people that their order was declined? Do you tell them why? What if they ask you why their order was rejected? I believe we are not legally required to tell someone why their order was rejected, is that true? Would appreciate how others handle this.

Thanks!

Sarah

Legal people will correct me if I'm wrong, but I thought that once you had taken payment for goods, you had entered a legal contract to supply them (in the UK anyway -I don't know what the position is selling abroad). Taking payment through PayPal constitutes this. Often prospective purchasers will let you off the hook, if you explain clearly why you are refusing to supply them, and refund the money immediately, but I believe they are not obliged to do so.

Barrie

Legal people will correct me if I'm wrong, but I thought that once you had taken payment for goods, you had entered a legal contract to supply them (in the UK anyway -I don't know what the position is selling abroad). Taking payment through PayPal constitutes this. Often prospective purchasers will let you off the hook, if you explain clearly why you are refusing to supply them, and refund the money immediately, but I believe they are not obliged to do so.

Barrie

If that's the case we'd have to stop using PayPal. But surely part of checking for fraudulent orders is comparing the PayPal details with the details on our online shop order, so it seems that you should still be able to refuse an order paid with PayPal as long as you refund it immediately.

We have it stated in our terms and so do a lot of the big boys that a contract isn't formed until they receive an email confirming dispatch, i believe these are legal terms since it is slightly different for online orders.

If you were in a shop then a contract is formed when they take payment.

If that's the case we'd have to stop using PayPal. But surely part of checking for fraudulent orders is comparing the PayPal details with the details on our online shop order, so it seems that you should still be able to refuse an order paid with PayPal as long as you refund it immediately.

This does seem unfair, and I have posted a question in the legal section, to see if anyone can give clarification on this.

Barrie

When you decline one of these, do you leave any options for the customer to reinstate the order?

We don't use PayPal and I don't quite understand how a PayPal payment can be fraudulent. . .I thought it was effectively cash.

We often decline card orders. We inform the customer that they have 'failed a security check' and offer guidance on overcoming the problem.

In many cases, it is simply: "for fraud prevention, we are only able to ship to the cardholder's registered address" or "Please order again and carry out the Verified by Visa step"

To avoid providing crooks with information to improve their technique, we answer specific request like "but why was it declined" with a (completely true) stock answer along the lines of, "we use an intelligent fraud prevention system that takes many things into account, it considers the cardholder's details, delivery address, recent card activity among other things"

I don't think anybody can mount a legal challenge if you return their money and have given a reason. I don't know if PayPal can take issue if customers complain but if they do not protect you from fraud, how can they object if you protect yourself.

just give them the reason that your payment processor gives, if i am unsure i always ask them for a land line number.

Hiya,

You're correct in that you don't want to tell customers why they were flagged by your fraud checks. The anti-fraud system I wrote for a VoIP company used a number of factors in detecting the baddies, many of which just were not available to the card processing people. You must be able to cancel an order for your own reasons - Paypal will never be able to tell if you've had a bad experience with a certain billing address before, it's only your local checks that will highlight this.

There is always the middle ground... contact the purchaser to 'confirm the order details'. Telling them that your security system has flagged their order as either suspicious or a random security check/audit, and that they need to fax a signed copy of their credit card and proof of address to you. Either they will comply and you've got an order or THEY will requests you cancel the order as they cant be bothered. Either way you're no worse off.

Chat soon.

I used to work for a company that processed online orders and we too had perform security checks and sometimes decline orders. We also did not tell them the reason why, for the same reasons as you. We would just tell them they were welcome to place the order again and if they entered all of the required details correctly and we were able to confirm them they're order would be processed. Sometimes they had just enfraudulent ones usuallytered details incorrectly the first time. Sometimes they were fraudulent. The ones we reckoned were really obviously fraudulent, but had the balls to ring us up and complain, usually didn't try again. The honest ones usually did, and usually they rechecked their details, got them right, and then we processed the order.

Legally speaking, you are always entitled to decline a sale. You are not making an offer, but inviting the customer to make an offer, which you may then accept or reject. You don't have to give a reason. However because you have taken payment could be construed as accepting the offer, but only if you don't state otherwise. Simply place a notice beside the pay now button saying: "All purchases are subject to security checks". P.S. I'm not a lawyer/solicitor, but rather I am giving my opinion based on a basic knowledge of consumer law and some past experience. Any legal issues should be clarified with a lawyer/solicitor. ....always important to have a disclaimer.

Hope this helps,
Evan

Thank you to everyone for your very helpful comments. From your replies it apears that we are basically doing it right. I will probably check and add something in our online shop to clarify that sales are subject to security checks and not considered accepted until we have emailed them with a confirmation.

In many cases we really don't want to invite them to place the order again. I'm sure we're not the only ones who have had people retry ordering with different details, all of which are suspicious. That just wastes our time. If it looks OK other than the fact there is some missing information or they have placed the order using a free email address (which we clearly state we do not accept) then sometimes we will contact them and ask for a different email address and/or further information.

Wiggy, PayPal accounts can be hijacked or hacked, they are not completely safe. I used to think that too. Fortunately we have not (as far as I know) been a victim of this yet but I have read many horror stories.

What about if you simply do not wish to sell to a particular person when it is NOT necessarily a question of possible fraud? Has anyone else dealt with this, and if so, what do you say? For example, if someone has been abusive to you in emails and forum posts in the past, or if you are concerned that they may intend to use your product illegally.

Sarah

Hiya,

For example, ... if you are concerned that they may intend to use your product illegally.

I think this depends on exactly what you're selling (I'm going to check your site next!:cool:), if it's guns and fertiliser, then definitely be careful!

I've only been contacted twice over the years by the law people, one was to try and trace a soldier who'd gone AWOL and called his parents using one of our calling cards, and the other was to find out who had ordered a certain T-Shirt and then stupidly worn it while robbing a Building Society! :p In either case, there was absolutely no way we could have for told the illegal activity and we didn't let it deter us from the core business of selling the products.

I think you need to be careful if you're going to refuse orders purely on 'suspicions' - I would suggest you definitely make notes on the order as to why you refused it, and make sure these are factual.

Chat soon.

What about if you simply do not wish to sell to a particular person when it is NOT necessarily a question of possible fraud? Has anyone else dealt with this, and if so, what do you say? For example, if someone has been abusive to you in emails and forum posts in the past, or if you are concerned that they may intend to use your product illegally.



We have rejected orders from customers who had consistently complained about the products and service [6 customers in 10 years]
We told them we did not wish to serve customers whom we were incapable of satisfying. Their reactions varied; some persuaded us to change this stance, others didn't.

None of them tried to legally compel us to serve them . . .

I think this depends on exactly what you're selling (I'm going to check your site next!:cool:), if it's guns and fertiliser, then definitely be careful!

This particular product is an Internet server security product and we just want to be careful who we sell it to.

Sarah

Legally speaking, you are always entitled to decline a sale. You are not making an offer, but inviting the customer to make an offer, which you may then accept or reject. You don't have to give a reason. However because you have taken payment could be construed as accepting the offer, but only if you don't state otherwise. Simply place a notice beside the pay now button saying: "All purchases are subject to security checks". P.S. I'm not a lawyer/solicitor, but rather I am giving my opinion based on a basic knowledge of consumer law and some past experience. Any legal issues should be clarified with a lawyer/solicitor. ....always important to have a disclaimer.

Hope this helps,
Evan

Agree that putting details on a website is an "invitation to treat" and nothing more.

The main issue at hand is that if a credit card merchant is not happy that everything is correct, they (or your anti-fraud processes) will decline a transaction. What the OP is looking to do is to cancel a transaction _after_ the customer has issued payment (this is important - a contract requires consideration from both parties - the customers' consideration is the payment).

In doing this, you lay yourself open to a breech of contract claim from the customer - especially if he had purchased something rare or expensive (if you were selling your last slab of marble from the arcopylis for example).


In many cases we really don't want to invite them to place the order again. I'm sure we're not the only ones who have had people retry ordering with different details, all of which are suspicious. That just wastes our time. If it looks OK other than the fact there is some missing information or they have placed the order using a free email address (which we clearly state we do not accept) then sometimes we will contact them and ask for a different email address and/or further information.

Wiggy, PayPal accounts can be hijacked or hacked, they are not completely safe. I used to think that too. Fortunately we have not (as far as I know) been a victim of this yet but I have read many horror stories.

I would only ever use a hotmail address for anything online (shopping, forums, etc) as i wish to have a level of privacy. The address from my ISP at home is in the form of free addresses that they offer, and any corporate email address I may have is not available to me to use for personal purchases. Besides - if I really wanted to p155 off people like you, I'd just spent £10 to register a domain such as http://www.yorkshireplumbing.co.uk and use its email accounts.


What about if you simply do not wish to sell to a particular person when it is NOT necessarily a question of possible fraud? Has anyone else dealt with this, and if so, what do you say? For example, if someone has been abusive to you in emails and forum posts in the past, or if you are concerned that they may intend to use your product illegally.

Sarah

okay - this is going from a reasonable question to the ridiculous. If you are really saying that business is good enough that you can afford to pick and choose your customers, then you are either doing better than most, or your head is too much in the clouds.

What use may they make of your product that could be illegal.

Actually - an example of the above. Lets say you sell potting compost. Someone wants to buy this (with a hotmail email address) to grow marajuana with. In your website terms and conditions you will have a clause that people cannot buy your product for any illegal purpose. This covers you.

If people want to buy your potting compost to grow marajuana with, or buy condoms to use with a 15 year old girl, or buy pork to try and force-feed a muslim person with, I don't see how any blame can be attached to the seller. About the only exception would be a person of legal age who wants to buy alcohol to give to a 17 year old - but this is only an issue for the seller if you knew (or could reasonably be believed to know - example a bloke who comes into the off-licence with a gaggle of 17 year olds in tow) that the person was going to use the alcohol for this purpose.

What use may they make of your product that could be illegal.



Oh I dunno. . .something age restricted. . . Adult toys, gambling, martial arts paraphernalia, surveillance equipment. . .

We decline sales all day everyday. There's no legal problem with this.

Both genuine and fraudulent people will contact you afterwards - it's not a good test of credit worthiness; it's a test of how much balls they have. (The fraudsters have huge balls.)

If in any doubt, decline the payment and just say something like 'unfortunately your order has been declined for security reasons'. Then offer them the option of paying by bank transfer which is safe for you. Verified by Visa is another good option.

What about if you simply do not wish to sell to a particular person when it is NOT necessarily a question of possible fraud? Has anyone else dealt with this, and if so, what do you say? For example, if someone has been abusive to you in emails and forum posts in the past, or if you are concerned that they may intend to use your product illegally. "We will not tollerate rudeness to our staff. Your order has been cancelled, and your card refunded. You are not welcome here, do not attempt to place another order."

That seems to get rid of them pretty much every time.... :D

okay - this is going from a reasonable question to the ridiculous. If you are really saying that business is good enough that you can afford to pick and choose your customers, then you are either doing better than most, or your head is too much in the clouds.Seems perfectly reasonable to me - We reject customers all the time for various reasons, and in many cases it makes perfect business sense to do so. If you can see in advance that they're going to be nothing but trouble why would you actually want to have them as your customer? Are you really that desperate for sales?

We have only just started accepting Paypal on my site and I was really concerned with using it before.

By advice would be to use Sagepay as a payment gateway as their fraud screening is fantastic.

We get lots of fraudulent orders and only the odd one catches us out.

Some are so obviously fraudulent that we just refund the money and don't even bother to email. Typically this would be a large order with an email address known to be fraudulent, an American sounding name, IP address comes from internet cafe, yahoo email address, delivery to business address in Naples.

With less obvious ones, we just email to say the transaction has failed 3rd party security checks. They rarely try again but occasionally this puts the wind up them and they phone to try to find out whether anyone is on to them or not and make up stories about lost cards etc. That is quite amusing as you can tell they're actually quite scared of getting caught.

I only ever had one who was genuine who convinced me by the nature of her emails so I apologised and gave her 10% off her next order which she was grateful for and reordered.

The legal opinion seems to be that PayPal and other orders can be refused if this is clearly stated in your terms and conditions.

Barrie

i think declining orders is silly, i they want it that bad they will just get other people to purchase on there behalf, you must have some abnormal checks ,

I rejected an order earlier this year that was placed from an IP address in Nigeria with a delivery address in Eastern Europe. Turned out to be a legit! The guy was a long standing member of an industry forum and the moderators confirmed he often worked in Nigeria and lived in Europe.

Caught quite a bit of flack over it, but still stand behind the decision.

i think declining orders is silly, i they want it that bad they will just get other people to purchase on there behalf, you must have some abnormal checks ,So if you received an order you thought was fraudulent you would just accept it and risk losing the goods and the money? Let me know what your webstore is and I'll send all the fraudulents customers your way - you're welcome to them.

do you refuse to accept orders where the registered email address is from a free provider? would that mean that if my email was a hotmail, yahoo or gmail address i couldn't shop online? if that's the case you must be losing serious amounts of customers. plus, paypal seems to be more trouble than it's worth for you anyway. why not ditch it, open up to free email addresses and put some sensible security measures in for credit/debit card orders.

i think i'm going to do a new post later listing all the fraud checks we do - the question seems to be asked a lot - so look out for that post for my tips on spotting dodgy card orders. i've stuck by them and so far we've never been hit.

Maybe you should post that in the members section, not sure it would be wise to put it on a public forum where fraudsters could see it...

do you refuse to accept orders where the registered email address is from a free provider? would that mean that if my email was a hotmail, yahoo or gmail address i couldn't shop online? if that's the case you must be losing serious amounts of customers.

Our customer base are mainly Internet businesses and hosting companies. They may use a free email address as their primary means of communication but they will (or should) always have an email address on their business domain. If they don't, or refuse to provide it, that looks suspicious to us.

plus, paypal seems to be more trouble than it's worth for you anyway. why not ditch it, open up to free email addresses and put some sensible security measures in for credit/debit card orders.We use a third party payment processor with good security checks for credit/debit cards as well. Offering PayPal gives our customers a choice. We'd like to continue offering it, and from the comments and advice we've received it looks like we will be able to do so since we have added clear terms and conditions regarding when and how an order is accepted and a contract formed.

Sarah

Our customer base are mainly Internet businesses and hosting companies. They may use a free email address as their primary means of communication but they will (or should) always have an email address on their business domain. If they don't, or refuse to provide it, that looks suspicious to us.

We use a third party payment processor with good security checks for credit/debit cards as well. Offering PayPal gives our customers a choice. We'd like to continue offering it, and from the comments and advice we've received it looks like we will be able to do so since we have added clear terms and conditions regarding when and how an order is accepted and a contract formed.

Sarah

fair enough I should have seen your business earlier in the post I was being closed minded and thinking from a retail point of view. Anyway hope it works out

Maybe you should post that in the members section, not sure it would be wise to put it on a public forum where fraudsters could see it...

aha good point will do that

Our customer base are mainly Internet businesses and hosting companies. They may use a free email address as their primary means of communication but they will (or should) always have an email address on their business domain. If they don't, or refuse to provide it, that looks suspicious to us.

I will never provide anything other than a hotmail account (which receives around 200 spam messages a day) as my perception is that my inbox will get flooded - not saying you do this, just that this is my perception.

I suppose I could use something like dabbler@mydomain but again its usually easy to go from there to james@mydomain.

I will never provide anything other than a hotmail account (which receives around 200 spam messages a day) as my perception is that my inbox will get flooded - not saying you do this, just that this is my perception.

I suppose I could use something like dabbler@mydomain but again its usually easy to go from there to james@mydomain.


Then you won't get any kind of service from us either. We have a list of several hundred disposable email domains that our site bars.

It's one thing using junk addresses for free software and such, but it's quite different buying professional products and services from reputable businesses - they need to know who you are.

Same here. We allow them on most of our sites as there isn't much fraud, but on the one that sells products that are targets for fraud we ban the free emails...

Then you won't get any kind of service from us either. We have a list of several hundred disposable email domains that our site bars.

It's one thing using junk addresses for free software and such, but it's quite different buying professional products and services from reputable businesses - they need to know who you are.

No they don't. They need a credit card number that passes all security.

The businesses who decide to send you daily emails are the "reputable businesses" you speak of.

No they don't. They need a credit card number that passes all security.And what do you do when they don't pass all security? We still have plenty of customers that place orders without 3D-secure authentification so would you just reject them (even though the vast majority are genuine customers)? Or do you just accept them anyway without performing any other checks?

No they don't. They need a credit card number that passes all security.

The businesses who decide to send you daily emails are the "reputable businesses" you speak of.

I'm afraid you don't know what you're talking about - no such thing as a 'credit card that passes all security' exists and you have to have systems to deal with failed cards payments which are genuine.

I know of at least 2 VoIP companies that have been put out of business by organised credit card fraud. Short of receiving an IP address from Nigeria (or USA), signing for professional business services using a junk email account is the best fraud signature there is.

Here's another tip - if the name is written in CAPITALS it's also likely to be fraud.

signing for professional business services using a junk email account is the best fraud signature there is.

Same applies in retail as well but to a lesser degree. If I was selling a high value professional service I would also exclude free to use email account addresses.

Slightly different for retail though, there are plenty of genuine retail customers out there using them.

In addition to noting junk email addresses we also look out for mobile phone numbers instead of landlines, poor English or unlikely names (i.e. Mr John) and shipping addresses that do not match the registered address of the card. There are a few other indicators which I'll not discuss here.

It takes a minute to call the number and check, we save ourselves hundreds every month just checking orders that have one or more of the warning signs.

Here's another tip - if the name is written in CAPITALS it's also likely to be fraud.

Given that names on credit/debit cards are in capitals some people assume that's how they should enter their details. Never found names or addresses in capitals any more or less likely to be a fraud.

The reason that CAPITALS are a sign, is that the fraudsters (this one is usually from the USA) have lists of hundreds of stolen card numbers bought from data bases which are formatted like that. They then sell untested numbers for $5 each. The lists all have surname in capitals and the crims just copy and paste into web forms.

They then attempt to make low value purchases with the cards they have bought (so as not to reduce the value of the card by reducing its remaining credit). It they can make a payment with the card they can then sell the new list of verified numbers for $20-$50 each. The new list is also copy and pasted by the new purchaser for high value goods.

We see hundreds of these intermittently. If you're trading on-line you have to be very, very careful.

Oddly enough, yesterday evening we had an order with PayPal payment which was almost immediately put on hold by PayPal themselves, saying they suspected it was unauthorised. This is the first time we've had this happen. I hadn't even had a chance to check the order out, but to be honest it looked OK to me and I might have accepted it. Nothing really flagged it as suspicious to me. :eek:

Then overnight we had one person try about a dozen different credit cards via our credit card payment processor (PayPoint), all of which were declined and several were marked SUSPECTED FRAUD. Glad PayPoint was doing its job!

Sarah

We see hundreds of these intermittently. If you're trading on-line you have to be very, very careful.

Out of curiosity I've just pulled off a CSV from my site of the last three months transactions, it's works out roughly 5% of them have used capitals for their name and a slightly lower number for their addresses as well. Only one of those was a problem and that was down to the postal strike and an item taking three weeks to get to France, although that one's sorted out now with full payment via Google checkout.

I don't know about others, but perhaps you're being targeted specifically or what you sell attracts more than it's fair share of bad customers.

I don't know about others, but perhaps you're being targeted specifically or what you sell attracts more than it's fair share of bad customers.

We ARE being targeted specifically, as are all online service providers - particularly in the telco/internet industries. Plus we do many hundreds of small transactions per day so we'll see more than most.

There are many more tests we apply - which can't be discussed here - but they are all on top of those applied by the transaction processors which don't by any means catch them all. Not even close.

And don't forget, once the crims have verified a card works, they use it on high value sites - so it will pass all the bank's tests.

And what do you do when they don't pass all security? We still have plenty of customers that place orders without 3D-secure authentification so would you just reject them (even though the vast majority are genuine customers)? Or do you just accept them anyway without performing any other checks?

If you have 3D security on your site, why would a customer not use it (this is a genuine question by the way)?

I'm afraid you don't know what you're talking about - no such thing as a 'credit card that passes all security' exists and you have to have systems to deal with failed cards payments which are genuine.

With the greatest of respect, you know nothing about me, so to make assumptions like this is unkind and inappropriate.

In 2003, I was project manager of the implementation of a new website for a major electrical retailer, that introduced new technology (for then) such as VBV and securecode. This was for a £100m turnover business.

A credit card that passes all your security I am defining as an auth, confirmation of AVS and CVV2/CVC2 number, then whatever other security processes you may have.

If you have 3D security on your site, why would a customer not use it (this is a genuine question by the way)?

Because some customers just HATE having to remember another login and password and there are those who are uneducated to what 3D-secure is even if you splash it all over your payment page explaining what it is people still don't read it.

When we first implemented 3D-secure we had no end of problems with people abandoning carts because they thought it was a phishing attempt even to the point where I had one customer screaming down the phone to me accusing me of trying to steal their details (even when I tried to explain to the customer what it was) - in the end we turned it off until it's use was more widespread and the actual card issuers customer services team new what it was as well (muppets were giving wrong advice to customers)

If you have 3D security on your site, why would a customer not use it (this is a genuine question by the way)?Some aren't registered, most probably don't even know what it is. It hasn't been very well (or at all?) communicated by the card companies to their customers so most people first experience of it is when they're in the checkout and they get asked for their securecode/verifiedforvisa password ("my what???"). Some people will sign up there and then, others seem to find it easier to hit the 'skip authentification' button than the 'join now' button.


A credit card that passes all your security I am defining as an auth, confirmation of AVS and CVV2/CVC2 number, then whatever other security processes you may have.To be fair that's not really enough. Firstly a LOT of genuine customers order with the incorrect AVS details (delivering to their work address from their personal card), secondly that provides no security whatsoever from chargebacks. That's why many of the people on this thread add extra levels of security, such as banning free email accounts etc.

Obviously different markets have different levels of security based on their own personal experiences with fraud - some markets are more prone to fraud than others.

I recently tried to buy a (not particularly expensive) LCD screen from a major online retailer with next day delivery and they emailed me back to say I had to send them proof of my ID & address (even though I'd ordered from them before, and my card address details were correct).

Needless to say I told them to get stuffed and bought it elsewhere...

You seem to be missing the point that a credit card can pass all security checks and still be fraud.

As I, and others, said much earlier, VbV for once is a system that can protect the merchant but not all cards from all countries are part of the scheme so you're still at risk if you accept them - and many will pass all checks but still result in a chargeback.

Repeat payments are another difficult issue - but not for public discussion.

You also need to be able to deal with false negatives which is a further risk.

I recently tried to buy a (not particularly expensive) LCD screen from a major online retailer with next day delivery and they emailed me back to say I had to send them proof of my ID & address (even though I'd ordered from them before, and my card address details were correct).

Needless to say I told them to get stuffed and bought it elsewhere...

To be fair to the retailer the slightest difference to what you have registered with your card and what you enter can result in a AVS error.

For example my first bit of the address is Delta House, Unit 2, 264 XXXXX Road

If I enter Delta House in the address field of a website the payment will fail the AVS check, if I leave it out it then goes through fine.

If in doubt I'll phone the customer or use a combination of royal mail, 192.com or if abroad various countries own white pages websites to verify the correct address.

As I, and others, said much earlier, VbV for once is a system that can protect the merchant but not all cards from all countries are part of the scheme so you're still at risk if you accept them - and many will pass all checks but still result in a chargeback.


I ran an experiment on VbV to see if the liability shift works. It does, the card issuer takes the hit if a crook beats 3Dsecure. . .:D

Yes, VbV is a genuine step forward for us poor bloody merchants.

But you have to realise that criminals will tend to use non VbV cards now and if you allow non VbV cards through that pass your other tests - you're still at risk, probably more so.

Not allowing those non VbV through results in significant lost revenue. What we need is universal VbV.

What we need is universal VbV.

Here. Here.

Elect that man president :D

Yes a global VBV and Securcode would be great and i've no idea why visa and mastercard aren't making it mandatory for all countries.

But you have to realise that criminals will tend to use non VbV cards now and if you allow non VbV cards through that pass your other tests - you're still at risk, probably more so. But on the plus side, as more and more people sign up it means we now have more time to apply extra stringent checks to those few that don't...

Here. Here.

Elect that man president :D

Yes a global VBV and Securcode would be great and i've no idea why visa and mastercard aren't making it mandatory for all countries.

Thirded. And I guess I can understand the commercial reasons to not mandate securecode. I just assumed that given I implemented this in 2004 that all sites nowadays would have it, and mandate it, and likewise that all consumers would use it.

I think the law says that you are fully entitled not to go ahead with any clients order for any reason (so long as they have not paid you obviously otherwise you need to refund them) other than that its the ethics of the situation, if you take reasonable care then you should be ok if the police or worse come knocking

i m so sorry to hear that. that sounds so bad, if customer payment by papal.maybe that is not very safe for seller, most people want to get money back but to solve problem.that is bad.
we have to be careful during online payment.

As I, and others, said much earlier, VbV for once is a system that can protect the merchant but not all cards from all countries are part of the scheme so you're still at risk if you accept them - and many will pass all checks but still result in a chargeback.

CJD,

You are correct in this. We had a merchant yesterday who contacted us to tell us that their acquiring bank was tryign to chargeback 2 transactions were 3D secure had been attempted but the card was not enrolled. In this case the liability still shifts but the bank will try it on anyways.

In another case a merchant was doing full 3D secure on all transactions and over a period of a month took 6 figures worth of questionable transactions. We flagged it to him as most likely fraud and his response was that he did not care as liability was not with him. What he failed to realise is that the issuing bank still registers a chargeback notification with the card schemes regardless of whether the merchant ever sees it. When the chargebacks came rolling in the merchant was flagged at scheme level. Card schemes contacted his acquirer and told them to turn off his account or face fines. Merchant accounts gone in 60 seconds. Merchant also blacklisted for possible merchant side fraud.

The point is that the merchant has a duty of care to use all reasonable means to stop fraud going through their account. Turning away business because you suspect it to be fraud should be the standard operating procedure for every merchant.

Our advise is always that the merchant should use all the technological tools he can to detect fraud but at the end of the day good old common sense is your best protection. If you even marginally suspect it don't accept it or get payment another way. If your worried about taking a payment then later declining it and returning the funds the answer is simple. Get a clause in your T&C's to cover you or do a pre-auth if your processor supports it.

Hope this helps.

As someone who is about to start selling on line it is something I never even thought about. I just assumed Google or Penpal would detect any irregularities and stop the transaction

As someone who is about to start selling on line it is something I never even thought about. I just assumed Google or Penpal would detect any irregularities and stop the transaction

That's a very quick way of going out of business - you need to be very cautious in any form of trading; real shops have theft, on-line has credit card fraud and neither the banks nor Pay Pal are interested in protecting you from it.