We don't provide the customer with the response

I get this periodically. Last week someone tried to place an order from a server in Iraq, then one in the UK two minutes later, then back to Iraq, six attempts in a row, all going to places like Dubai, Jordan, UAE, etc. Then two weeks ago I had a $650 order from someone with a billing address in Chile, shipping address a Miami forwarder, ordering from Canadian ip, and calling from cellphone in CA. This person actually called me repeatedly as well, wanting to know if I would accept (phoney) money order or Western Union or would I overnight it or could she come and pick it up in person (from 500 miles away). And then there are the "I will like to order" emails. I could create a fraud filter just based on the phrase "I will like to order." I often write back "I will like to know why you will like to steal from me."

lol... I know, it's funny. All the effort they make... You'd think proper English would be first on the list, but I guess not.

We don't provide the customer with the response

olimits7, Realbrisk said something important here.

if they are submitting over and over again with different card numbers, rest assured they're using your cart as a test bed for their stolen cards.

I know that on my shopping cart you can make a limit of, for example, three declined attempts, before that user will be unable to submit again for a designated period of time (say, 15 minutes).

You should see if your ecommerce platform has something similar.

Thanks for the replies!

I don't provide my customer with a detailed reply of why their credit card was declined (no avs/ccv response); all my website responds with is something like "the credit card used was declined, please try a different payment method"...which I think is the norm with most websites.

That's a good thing to look into; does anyone know if Authorize.Net offers a feature like this to limit the number of declined attempts from the same user or is this something my shopping cart needs to have in place?

olimits7

Did you check out Authorize.Nets Fraud detection suit

Hi, yes...just got done talking to them and i can have this feature by adding the AFDS; which is great!

I recently noticed this one guy who tried to place the same order 8 times in a row, and each time with a different credit card number. The order kept getting declined because each order he tried to submit came up with "no match on street or zip code".

I've seen some nasty order attacks and you pay a fee for each attempt. Customers get a cut-off at about 10-15 attempts so they don't bankrupt me with transaction fees and 5 card # changes gets the axe as well.

I also pre-screen transactions and test the IP against the address and if the country doesn't match I dump it before calling the gateway. The GEO-IP services work OK for most IPs but obviously fails miserably on wireless broadband transactions.

Just a couple of tricks to play to save some fees

I don't provide the decline reason either, I offer them Paypal ;)

Also, one thing about the cart I use also has recaptcha set up on a velocity filter, so if they keep switching from IP to IP (and they aren't being tracked by cookies), if enough declines by any customers come in within a predefined time, then the recaptcha kicks in for like ten minutes or so.