stolen credit card shopping through paypal webpayment pro

[abigtree]

Dear All.

 

I run a small electronics e-commerce sell Portable DVD players.

 

Recently my business suddenly shooting 10 times with out any trace where the customer come from，I thought I might have done something supper right in marketing wise, until a lot of repeated customer came back buying the same thing again and again, I realized there is something wrong.

 

As all the orders paid through paypal web payment pro integrated into my website, I contacted paypal business support and discussed my suspicious and concerns. They didn't find any thing out of normal and there's no evidence suggest any suspicion.

 

Last Thursday, one person called me that his wife credit card was stolen and he traced it was shopped on my website. As there were about £20,000 worth goods purchased on my website, I reported police immediately, But they seems very slow in reaction.

 

I have sent over £15,000goods out already, and there are over £15,000 orders still outstanding. As I can see, there is not just one person, but over 50 different addresses as the goods was sent to, I am getting worried now.

 

Does anybody have this kind of experience before?

What should I do with the goods I had been sent out? Will I loose the goods and money?

What should I do with the money which came from stolen credit card?

What should I do with the outstanding orders? I’ve been holding as they bought out everything showing in stock on my website.

 

Even today, there are still some suspicious orders come through. It makes my business really difficult, we have to try very hard to find out which ones are genuine customers and which are fraudsters

 

Any suggestion and tips will be very much appreciated. Thanks

[dynamoeffects]

Set the Payment Action to "Authorization" and call your customers before shipping the order.

[wayfinder]

Does anybody have this kind of experience before?

What should I do with the goods I had been sent out? Will I loose the goods and money?

What should I do with the money which came from stolen credit card?

What should I do with the outstanding orders? I’ve been holding as they bought out everything showing in stock on my website.

 

Sound no good at all, we have been defrauded few times before and lost the goods, money and time. There are lots of things you can do but I doubt if you will be getting any good results. Be careful and good luck.

[andychev]

What a nightmare, i cant stand people like that who want something for nothing.

 

Unfortunately you need to plan for the worst. There are several things to consider:

 

The first being is that when the credit card companies find out that a card is used fraudulenty (this could be hours, days or weeks away) they will put it on stop and any suspicious transactions over £100 will be investigated. Paypal will flag this up as suspicious and put your paypal account on hold and remove the suspicious funds from your account (putting it into a negative balance if funds arent in there) Fundermentaly as soon as someone reports a card as stolen etc you arent going to have a usable paypal account. I belive the card companies also have the power to place a hold on funds in your bank account (i may be worng on that)

 

You arent going to get the money back, it sucks big time, but unfortunately that is the hard truth the money isnt yours as much as you may think it is even for the goods you have shipped.

 

The most you can hope for is for the police to recover the goods that you shipped (have you noted whether these were shipped to confirmed address's? if so you may be covered under paypals payment protection policy) the chances of them finding what you have shipped are slim to none.

 

You need to bear in mind that YOU are going to be investigated. As the store owever you are expected to take 'reasonable steps' to ensure against card fraud. However, with paypal beig the card processor i dont know how you stand on this. Either way paypals terms & conditions are water tight so even considering trying to blaim them and try and ge something back from them the chances are slim at best.

 

-----------------------------------------------------------------

 

So, i hear you ask what do i do!

 

If it was me i think i would pull the plug on your website. Even if you are still getting orders in that look to be legit as soon as paypal recognises the fraud on your account they will put your account on hold so you wont be able to accept any more payments or any you do accept they wont let you have.

 

You need to consider that this is going to be a long and drawn out process as there isnt just you and a card processor (like there would be if you had your own card machine) you have paypal in the middle which are notorious for being very slow. The whole thing to get sorted you are looking 6-12 months.

 

When it is 'sorted' the worst (and probably the most likely) outcome is going to be:

you loose any money that was given to you fraudulently (30k)

you will loose the good you shipped (15k)

It will take a long time before you will be able to use your paypal account again, it can sometimes take years.

 

If you still have all the money from the purchases then you will just loose the price of buying the goods you shipped out. However if you have spent the 30k you got in then you will have to repay that plus the price of the goods.

 

You need to take the aproach that your website is no more. stop any advertising that you do and pull the plug on it as this problem isnt going to be resolved quickly. The best you can hope for is to get it back up once you get your paypal account back. If your website is essential to your income then you need to look at alternatives 1 beacause you need ot have an income and 2 because you will be expected to pay back any fraudulent transactions and 3 you have had to pay for the goods you have shipped.

 

I hope what i have written help in some way and you manage to get this sorted as soon as possible. I hope the people who commited the fraud go to .....

 

Just a thought, perhaps speak to your bank about this. If they are in the 'loop' about what is happening then they will be more likely to help in the future if a loan or whatever is needed. Instead of going along and telling them 6 months down the line.

 

PS, Not trying to make things worse but i belive paypal will charge YOU £20-£30 for each fraudulent transaction on your paypal account. :(

[Guest]

Set the Payment Action to "Authorization" and call your customers before shipping the order.

 

 

After recieving a chargeback I've spent many weeks on the phone to Natwest (Merchant) and Protx(PSP) aswell as reading the documentation I asked the bank to send me. The vague information they provide is a joke Even if you follow all their advice. Based on the paperwork they sent me, the summary is "Even if all procedures have been correctly followed and documented this does not guarantee that you will succeed in disputing a chargeback"

Stolen Cards

Liability is shifted to the Visa or mastercard if you use the visa verified or mastercard verified on your website, this takes out the stolen card risk within the transaction.

BUT the biggest problem now is

Items not recieved claim

If the customer claims they have not recieved the item your going to receive a chargeback. I asked the Natwest helpdesk that if I ask for multiple forms of I.d. such as passport e.t.c. would I be covered; answer "No but our advice......do this and that and you lower the risk" what a load of twaddle. I send out high value items, only to the U.k. by carrier. I need guarantees, licking my finger and placing it in the air to feel if its right is not satisfactory business. If you follow their guidelines my opinion is you should be covered.

 

Conclusion

After investing £6000 in setting up the business, most of which in advertising. I have found out the hard way that banks are prats and they will charge you a bundle of money for offering a below standard service.

 

My advice to anyone carrying out customer not present transactions is don't bother unless you are delivering the items yourself and you are using a chip and pin. Its too risky and getting burnt 1 out of ten times or 1 out of 20 is still unacceptable. I now have large orders that I can't fulfill, very frustrating :angry:

 

If only I was aware of this before I spent a year developing the website, taking pictures, buying in stock e.t.c. I suppose the best lessons are the ones you gain from experience.

[dynamoeffects]

Fraud has been discussed ad nauseum on this forum and shouldn't have been an unknown aspect of doing online business when you started. It's unfortunately one of the risks of doing business online, but can be mitigated if certain business practices are made. For instance:

• Call all customers who place orders over a certain dollar amount.
  
• Authorize only. Don't charge their card until the order has shipped. I've even talked to one merchant who doesn't capture the funds until the order has been confirmed as delivered by contacting the customer. This avoids all chargeback fees and she said that she has never had a single chargeback.
  
• Keep a record of ALL credit card transaction messages. If you get a chargeback, but the AVS or CVV2 return codes are "U," sometimes that will sway Visa/MC's decision in your favor.
  
• All orders over a certain dollar amount should be mailed requiring a signature at delivery and retain a copy of that signature.
  

While running an online store isn't the super-cheap, get rich quick scheme that many imagine it to be, it's still cheaper than running a brick and mortar store -- even with occasional fraud. If you are a victim of fraud on a regular basis, the problem isn't the criminals, it's with your store policies. Many people here make a successful living selling online.

Edited June 18, 2007 by dynamoeffects

[Guest]

I'm just picking a few holes in what you've just said, these are the holes in the card not present system that makes online retailing too risky. And the comments I put to you are the same arguments the bank may put to you after a chargeback

 

[*]Call all customers who place orders over a certain dollar amount. This confirms the customer is who they say they are = correct, but does'nt allow you to determine whether it is the GENUINE card holder

[*]Authorize only. Don't charge their card until the order has shipped. I've even talked to one merchant who doesn't capture the funds until the order has been confirmed as delivered by contacting the customer. This avoids all chargeback fees and she said that she has never had a single chargeback.

Who's to say the person being called is the person who recieved the item? no chargebacks could just mean that the fraudsters hav'nt stumbled on her site yet, theres millions of sites out there.

 

[*]Keep a record of ALL credit card transaction messages. If you get a chargeback, but the AVS or CVV2 return codes are "U," sometimes that will sway Visa/MC's decision in your favor. Visa and mastercard verified remove liability from the retailer anyway in the credit card transaction stage

 

[*]All orders over a certain dollar amount should be mailed requiring a signature at delivery and retain a copy of that signature.

Who's to say that the person who signed is the genuine card holder, even with the credit card being physically copied on delivery

 

[/list]even with occasional fraud. If you are a victim of fraud on a regular basis, the problem isn't the criminals, it's with your store policies. Many people here make a successful living selling online.

This is not the case as if you are known by a fraudster, they will normally inform others that you are an easy target, being an easy target is very easy if the banks make you liable even if you follow the latter advice you just gave. With low value items you are at a lower risk in terms of the amount of lost income, high value items would obviously appeal more to the criminal

 

And just to clarify, unless you are a solicitor its very difficult to assess whether you are covered by the banks or not, its very easy to become misled by the banks representatives, by them stating what you should do. its hard to imagine that if you follow all their guidelines you are still liable for corruption, obviously the Customer not present scenario is flawed, a flaw which they should outline predominantly before selling you a merchant account, rather than it being thrown in with a large three page tiny written Terms and conditions, of which you have to be a solicitor to translate.

[dynamoeffects]

Except that you're poking holes in the security of accepting cards in a brick and mortar store as well. You must assume some risk in order to run a successful business. There is no way to remove 100% of the risk of accepting credit cards, even in person.

 

Call all customers who place orders over a certain dollar amount. This confirms the customer is who they say they are = correct, but does'nt allow you to determine whether it is the GENUINE card holder

 

If the area code is in the same city as their billing address, there's a good chance that it's a valid card. Statistically, most fraud comes from third world developing nations where they purchase credit card lists online. Lost cards where a thief would steal a card and use it before it's deactivated is also not very common. Those are typically used in retail situations.

 

Authorize only. Don't charge their card until the order has shipped. I've even talked to one merchant who doesn't capture the funds until the order has been confirmed as delivered by contacting the customer. This avoids all chargeback fees and she said that she has never had a single chargeback.

Who's to say the person being called is the person who recieved the item? no chargebacks could just mean that the fraudsters hav'nt stumbled on her site yet, theres millions of sites out there.

 

No, she had dealt with fraud. Again, you're really stretching to poke holes in my advice for some unknown reason. I could walk into your brick and mortar store with my real credit card, ring up $2,000 in charges, and then file a chargeback 6 months later and there would be nothing you could do about it. As long as we're stretching, let's go all the way.

 

All orders over a certain dollar amount should be mailed requiring a signature at delivery and retain a copy of that signature.

Who's to say that the person who signed is the genuine card holder, even with the credit card being physically copied on delivery

 

Nothing's to say that the person who signed is the genuine card holder, nor is it the purpose of signature at delivery. It's to show that the mailing reached the destination and was signed for by someone at that address.

 

 

even with occasional fraud. If you are a victim of fraud on a regular basis, the problem isn't the criminals, it's with your store policies. Many people here make a successful living selling online.

This is not the case as if you are known by a fraudster, they will normally inform others that you are an easy target, being an easy target is very easy if the banks make you liable even if you follow the latter advice you just gave. With low value items you are at a lower risk in terms of the amount of lost income, high value items would obviously appeal more to the criminal

 

Stop blaming others and take responsibility. If one thief makes a successful order where everything seems right and you get stung, take it as a live and learn situation and know that it was part of the risk of running an online business. But if they send their friends calling and you actually ship orders to all of their friends, at that point it's simply incompetence. There would be no online stores if it was as grave as you describe.

[Guest]

Except that you're poking holes in the security of accepting cards in a brick and mortar store as well. You must assume some risk in order to run a successful business. There is no way to remove 100% of the risk of accepting credit cards, even in person.

 

In the u.k. a chip and pin (customer present transaction) removes liability from the retailer to the bank. If you get a chip and pin on the day of delivery you remove liability from yourself as a retailer.

 

I could walk into your brick and mortar store with my real credit card, ring up $2,000 in charges, and then file a chargeback 6 months later and there would be nothing you could do about it.

 

I would'nt have to do anything about it as a customer facing transaction within almost all u.k. shops require a chip and pin and the bank would take responsibilty unless the goods were damaged or there was a problem with the service.

 

 

Nothing's to say that the person who signed is the genuine card holder, nor is it the purpose of signature at delivery. It's to show that the mailing reached the destination and was signed for by someone at that address.

What good is this if the genuine customer makes a chargeback on the non receipt of items claim

 

 

take it as a live and learn situation and know that it was part of the risk of running an online business.

I have learnt that online transactions offer no guarantee of payment, and as such its like putting your wallet in the trust of a stranger, you may not get your money and the person you trusted may walk away with your wallet.

 

But if they send their friends calling and you actually ship orders to all of their friends, at that point it's simply incompetence. There would be no online stores if it was as grave as you describe.

 

I don't know your friends and you don't know mine, the internet world is vast.

 

 

Again, you're really stretching to poke holes in my advice for some unknown reason.

 

The reason I am picking holes is to help myself and others, I am not too proud to admit if I've over estimated the credit card fraud problem. If you were to offer a solution to prevent this sort of fraud that was'nt open to chance then I would appreciate it.

 

Just to add; google are offering a free card proccessing system that covers you against chargebacks (in the advert) although their terms and conditions are the same as other banks for chargebacks.

 

Anyone know of ways of insuring or covering retailers from chargebacks for the u.k.?

[Guest]

Anyone know of ways of insuring or covering retailers from chargebacks for the u.k.?

 

Did not receive Item fraud

To clarify: I need to prove the customer received an item. So if there is any postal insurance (u.k.) or a merchant provider that will accept a signature as 100% proof of delivering the item to the buyer, therefore 100% cover agianst this type of fraud, whether that means any extra proof required. I just want to remove the liability of a claim that the item was not delivered if I have the signature that states someone has signed for the item from that address.