pros / cons
My MD wants us to start logging IPs of ordering customers in an effort to reduce credit card chargebacks, the idea being we can trace fraudsters through their ISP, and state that this is what we do in order to scare dodgy people off.
Also, would an ISP actually release such info as what user was using a certain IP at a certain time?? I would have thought that (in the UK) this would have data protection act implications?
I have been there and done that.
First, in your privacy statement it would need edited to state the new tracking usage (if you want to stay legit in the customers eyes).
2nd, when I went through my last chargeback...
A)IPs change, they are not static (as I am sure you know)
B)No, ISPs will not release ANY customer information let alone who was using what IP at what time
C)When I did try contacting an ISP with the IP and E mail header showing who the user was they stated I needed a subpeno(?) and even then good luck with thier legal department. Also how could I prove that someone else was not using thier customers computer to place the order and send the E mail (OK reality check), but they are correct.
All I can say is document everything and have hard copies. Any E mail communications, any signed shipping slips. I even go so far as stating if AVS (address verification) does not match I credit the customer back and E mail them why. I also then ask them to contact thier bank and update the billing information. This last thing is what I find weeds out the "dodgy" people best.
No system is fool proof and without a CC imprint you are exposed. I am also not doing ANY dropshipments.
I've found users don't mind if you promote it as a protection process instead of worrying about the privacy. "We monitor all ip's for credit card fraud'. It builds buyer confidence, it doesn't errode it.
"We monitor all ip's for credit card fraud"
What does monitoring the IP gain you. If they were static I could see keeping a list of all IPs that placed a fraudulant order and use that list on orders submitted to weed out the fraud but with dynamic IPs what would the point be. sorry must be missing something here...:(
Brian, here's how I think about it -
>What does monitoring the IP gain you.
In many cases nothing, but it serves the same purpose as those store cameras. Many of those have no tapes in the VCR or the quality is so bad they can't tell if it was a person or a squirrel the did something untoward.
But the end result is the same, done correctly everyone feels a little safer, it deters the amateurs, and keeps your losses to the pros, which you would lose to no matter what you did.
Using it as a 'look how careful we are with our customers details' kind of statement hadn't occurred to me. I'll ponder further.
I recently had someone purchase a cloaking script with a stolen credit card number. This guy was very clever. He used the real address of the guy who's number he stolen and the phone number was one digit off. He used a free email address that looked legitimate, something like firstname.lastname@example.org. I did a lookup on the IP and it came out of Russia. This guy knew what he was doing.
Funny, this guy is that good at being bad, but yet he needed to get his hands on a cloaking script.
To expand the topic slightly, what measures do you all use to guard against fraud?
We archive all emails (in and out) and they are searchable to bring up a full history in case of disputes, but it seems all too easy for a customer to simply deny all knowledge of anything, and then the chargeback stands.
We have a 'card not present' merchant account, but no access to databases of CC user addresses etc to verify that the customer is who (s)he claims to be.
Various online merchant services offer increased security checking (eg matching against address etc), but all the ones I've found require you to actually clear the transaction through them.
Does anyone know of a service where I can check a customer's identity details in real time but then process the payment through our own facilities?