[thelist] Free tip: securing your online store
Susan Wallace
susanhw at webcastle.com
Thu Apr 25 08:48:01 CDT 2002
>using avs is sometimes a bonus to credit card number thieves if they have a
>rough idea (ie, city, state, street, but not house number) of the billing
>address for the card. they'll use it to come up with a valid street number.
ACK! I didn't think about that...
I was reading some more on AVS, and it is not supported by all gateways or
all card types, so that would be some more avenues for them to use/holes
for me to plug. Also, this apparently only works for US issued cards?
>>yes. the few i've seen online that request the 3 digits from the back have
>always done so as an option. it was not required to make a payment.
The only place I know of that requires this is Priceline.com - and that's
not first hand, I had a friend tell me that she was not able to make a
purchase there because her CC did not have the 3 digits on the back, so she
had to call her bank and get them to issue her a new card...
>rather than processing the card real-time, you simply do a luhn check to
>make sure the shopper is entering a valid card number.
That seems like a great idea! It will require some work, but I think it
sounds good. I'm not sure though if it is worth doing on the site that had
this problem though because it is so low-volume. They have the store as a
"nice to have", not an expected money maker, and they get only maybe 1
order a month.
<aside>The person who sets up the T1 and firewall services for this client
*lives* for this stuff - he is like a kid in a candy store with his sniffer
out trying to catch these people. He has the blessing of the authorities
involved, and it's like a trap at this point... he's doing a "public
service" to those who don't know their number has been stolen... even
saving 4 is progress. ;) </aside>
One other suggestion I received is to turn off the ability to accept
International Orders. I know that at one time I heard a lot of folks would
not allow International ordering, however I don't think that's reasonable
(or fair). The option would then be to have the person fax the client a
copy of the credit card in order to process the order. In the case of this
particular client, it may not be a big deal because they are so low volume,
but in others? I like your idea better...;-)
Thanks for the suggestion!
Susan
More information about the thelist
mailing list