[thelist] Free tip: securing your online store

[.jeff]

susan,

><><><><><><><><><><><><><><><><><><><><><><><><><><><><><
> From: Susan Wallace
>
> One of my clients has a very small, not-used-often
> online store.  The person that processes orders noticed
> some addresses coming through that seemed strange, so
> she alerted me to the issue. After investigation, it
> turns out that someone was using our site to try and
> verify a list of stolen credit card numbers.
><><><><><><><><><><><><><><><><><><><><><><><><><><><><><

it's atually more common than most people think.  we had the same thing
happen on one of our client's sites.

sometimes they do it to try to figure out the expiration date for a card
number.

><><><><><><><><><><><><><><><><><><><><><><><><><><><><><
> Our site uses SSL, and is setup to use CyberCash/
> Verisign. What the people with the stolen card numbers
> had determined was that our Processor does not use
> AVS - Address Verification Services, and they also do
> not require those 3 extra digits from the back of the
> card. So, they put some items in their cart, entered
> bogus address information and shipping information,
> and proceeded through the list of numbers they had.
> Once an order went through, they started over again.
><><><><><><><><><><><><><><><><><><><><><><><><><><><><><

using avs is sometimes a bonus to credit card number thieves if they have a
rough idea (ie, city, state, street, but not house number) of the billing
address for the card.  they'll use it to come up with a valid street number.

><><><><><><><><><><><><><><><><><><><><><><><><><><><><><
> I found out today that the account that my client has in
> this case is not currently setup to use AVS, although I
> am told that "it will be soon", and they do not offer
> any way to verify those 3 digits on the back.
><><><><><><><><><><><><><><><><><><><><><><><><><><><><><

most payment gateways don't offer that sort of check.

><><><><><><><><><><><><><><><><><><><><><><><><><><><><><
> I have setup AVS  in some other sites, but so far have
> not been requested to use the extra three digits from
> the back of a physical card. Are there any merchant/
> processors that actually use this information yet, or
> is it just one more way to keep the "honest people
> honest"?
><><><><><><><><><><><><><><><><><><><><><><><><><><><><><

yes.  the few i've seen online that request the 3 digits from the back have
always done so as an option.  it was not required to make a payment.

there's actually another way to make it much harder for these sort of credit
card number verification, expiration date discovery, and address discovery
attempts.  it won't work with every client, but has worked well for some of
ours.

rather than processing the card real-time, you simply do a luhn check to
make sure the shopper is entering a valid card number.  if it passes the
luhn check you finish the purchase and send the user to a page with a
receipt for their purchase explaining that their card will be processed
shortly.  you also do the same via email if they provided an email address.
when inserting the purchase into the database, mark it as not processed yet.

then, you set up some sort of scheduled task that runs every 15 minutes or
so against the purchase table looking for purchases that haven't been
processed yet or timed out from previous processing attempts.  using this
list of purchases, go back real quick to the database and mark them all as
timed out.  take this list and loop over them, sending each one to the
payment gateway for processing.  if they come back successful, mark them in
the database as such, construct an email receipt for the buyer letting them
know the transaction was successful, and send it off (provided they gave you
an email address).  also, construct an email to the client and let them know
a transaction was successful.  if it comes back as a failure for any reason,
mark it as such in the database and send off an email letting the client
know.  however, do not send an email to the buyer.  let the client handle
this with the buyer.  if the buyer is really someone trying to verify card
information, this will become immediately apparent by the contact info not
being any good.  if the payment gateway times out, you don't have to do
anything as the scheduled task will attempt to process it again in a little
bit.

the downside to this is that the client has to deal with failed
transactions.  if they're not on the ball this can be troublesome to some
buyers.  also, some buyers won't read the notice on the receipt after their
purchase or in their email that their transaction is pending and think it
went through.  however, due to the relatively small percentage of
transactions that actually fail, the expense in this method is relatively
low.  also, if your client *is* on the ball, calling genuine buyers whose
transactions failed gives them a chance to close the sale by taking another
credit card over the phone or discussing other payment arrangements that may
not be as feasible or available online.

.jeff

http://evolt.org/
jeff at members.evolt.org
http://members.evolt.org/jeff/