: Should I decline a credit card based on IP Address We are having a problem with a user who comes to our site to attempt to validate hundreds of credit card numbers. He will run around 400+
We are having a problem with a user who comes to our site to attempt to validate hundreds of credit card numbers. He will run around 400+ .00 transactions at a time, find some valid card numbers and then quit. This is happening with more frequency.
He uses the same name and address each time and his IP address is the same. We are taking several steps to address the issue.
One of the steps I would like to take is to prevent him from submitting the transaction if I see his IP address. Is it safe to do this? Could I potentially be losing legitimate sales by doing this?
BTW, we use PayPal's Payflow pro service to process credit cards.
More posts by @Gail5422790
3 Comments
Sorted by latest first Latest Oldest Best
Going out on a limb without knowing much about your setup.
It seems like you're a target because you're not validating any of the billing address credentials. That enables him to verify valid card numbers without having to know much additional information about the card such as billing zip code. It's also possible that your error messages are too verbose and are giving the guy more information about the decline than he can find else-where. Most eCommerce stores return generic decline messages to avoid becoming a target for this type of misuse.
As a side note, I believe getting used like this can hurt you in the long run with PayPal, causing them to tack on higher rates because you're a risky customer. Read your agreement with them about additional % points due to fraud and risk. If I remember correctly it says something like they can add up to 5% points to each transaction if you fall into a high risk category.
You could report it to Paypal, let them do their job and investigate these transactions and take appropriate steps upstream to make sure the transactions are declined at payment provider level.
This not only fixes it for you, but all sites using the same payment service, and if its serious enough, they will pass it further up the line to the card issuers too.
Rather than just fixing the problem on your site, you have an opportunity to help fix the problem across many sites. Its better for everyone if this problem is handled as far upstream as possible.
If it is always from the same IP address then blocking it is a good idea. If it is a region you don't do business in then blocking the IP range may not be a bad idea, either.
An alternative approach is to identify when that user is on your site and give them bad information. Randomly tell them when credit cards are good or bad without actually attempting to validate them. Additionally, you can make each request very slow requiring more and more of his time to do this making it inefficient for his purposes. Eventually they'll consider you not worth their time and go elsewhere.
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.