Welcome to WebmasterWorld Guest from 54.196.244.186

Forum Moderators: buckworks

Message Too Old, No Replies

non profit used to screen stolen credit cards

     
12:17 pm on Sep 28, 2011 (gmt 0)

New User

joined:Sept 28, 2011
posts: 5
votes: 0


our non-profit website was recently the victim of a stolen credit card verification scam. Over several days we received many donations that were processed through our paypal pro account. Most of these transactions were rejected, but a non-insignificant number were approved. We are hoping to learn from this and prevent it in the future (although our paypal account has been locked and we are not sure when if ever we may be allowed to resume). How is it possible that false data is entered on our site yet the transaction is approved by the paypal gateway? looking at the persons name and address it is obvious that they are not valid, and most of the successful transactions come back with AVSCODE of N, which should have caused the transaction to fail. Any information on how we may prevent this in the future, and explanations of how it may have happened would be appreciated.
Thank you
12:48 pm on Sept 29, 2011 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lorax is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Mar 31, 2002
posts:7575
votes: 0


Welcome to WebmasterWorld!
Unfortunately, I don't have a solution for you. It's something that happens. But I expect a few of the more seasoned online sales vets might have something more to offer.
3:44 pm on Oct 1, 2011 (gmt 0)

Senior Member

WebmasterWorld Senior Member 5+ Year Member

joined:Apr 30, 2007
posts:1394
votes: 0


and most of the successful transactions come back with AVSCODE of N, which should have caused the transaction to fail.

That means the transaction should been declined from your cart code and you need to fix the code.

N is documented from Paypal "The transaction is declined"
10:21 am on Oct 3, 2011 (gmt 0)

New User

joined:Sept 28, 2011
posts: 5
votes: 0


we were displaying a failure code, but we were also getting
<ACK>Success</ACK>, and the transaction was processed on the paypal end.
12:45 pm on Oct 3, 2011 (gmt 0)

Senior Member

WebmasterWorld Senior Member 5+ Year Member

joined:Apr 30, 2007
posts:1394
votes: 0


In the response array you should be checking the AVSCODE and CVV2MATCH fields also.

And what was the setting of PaymentAction? Just make sure it is "authorization" and not "sale" because it seems you set it up to make it the whole capture automatic and could be the reason.

[cms.paypal.com...]
12:58 pm on Oct 3, 2011 (gmt 0)

New User

joined:Sept 28, 2011
posts: 5
votes: 0


we are using payment type "Sale" in our doDirectPayment call, from the link provided we are using:
"During a traditional sale at PayPal, the authorization and capture action is completed simultaneously"
the AVSCODE is N, and CVV2MATCH is M
It was our understanding that doing the authorization and capture method, if the transaction was rejected for any reason the funds would not be transferred and we would get an ACK of Failure
Thank you for your help
2:15 pm on Oct 3, 2011 (gmt 0)

Senior Member

WebmasterWorld Senior Member 5+ Year Member

joined:Apr 30, 2007
posts:1394
votes: 0


Yes some of the specs do not clarify the paymentaction enough and can be incorrectly set. Typically I will set it to authorization unless I am 100% sure buyers are legit.
2:48 pm on Oct 3, 2011 (gmt 0)

New User

joined:Sept 28, 2011
posts: 5
votes: 0


thank you, so you will set to authorize, then if everything comes back looking good you then capture the funds?
3:18 pm on Oct 3, 2011 (gmt 0)

Senior Member

WebmasterWorld Senior Member 5+ Year Member

joined:Apr 30, 2007
posts:1394
votes: 0


yes there should be an option via the paypal cpanel to review the transactions.
3:49 pm on Oct 3, 2011 (gmt 0)

New User

joined:Sept 28, 2011
posts: 5
votes: 0


thank you for your help. should paypal re-activate our account we will follow your recommendation.
4:37 pm on Oct 3, 2011 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Nov 15, 2004
posts: 1867
votes: 0


Plus, you should look into blocking the IP address or a range where the transaction is originated from.