<<<
Chronological Index
>>> <<<
Thread Index
>>>
RE: [registrars] DECENT SIZE ISSUE: Credit Card Proposal - SUMMARY
Hi,
I run a payment gateway company, and have written several routines for
fraud detection and risk mitigation. All the patterns you speak of, work
well to detect REPEAT fraud. But there is enuf NEW fraud taking place on
a daily basis, which initself is tuff to handle. While im typing this
email im looking at another two chargebacks that have just come in. in
terms of management time, and effort and direct expenses spent on fraud
chargebacks, we just DON'T make any money :(
We have far more advanced fraud detection mechanisms than you do,
however the important aspect is that they cost far more than the ability
to be able to delete a name directly and obtain a refund less some
charges. I would sleep easier at night, and would be more confidence
about advertising and accepting credit cards
Best Regards
Bhavin Turakhia
Founder, CEO & Chairman
Directi
----------------------------
Tel: 91-22-26370256 (4 lines)
Fax: 91-22-26370255
http://www.directi.com
----------------------------
> -----Original Message-----
> From: owner-registrars@dnso.org
> [mailto:owner-registrars@dnso.org] On Behalf Of Doktor Gurson
> Sent: Tuesday, February 25, 2003 2:34 PM
> To: tim@godaddy.com
> Cc: bhavin.t@directi.com; registrars@dnso.org;
> cgomes@verisign.com; michael@palage.com
> Subject: Re: [registrars] DECENT SIZE ISSUE: Credit Card
> Proposal - SUMMARY
>
>
> Hello All,
>
> I am new to the list, so I apologize in advance if this idea
> has already
> been discussed.
>
> This is not a solution to the overall problem and I don't
> believe receiving
> a credit from the Registry will solve all our problems
> either. The truth of
> the matter is even if we were to get a credit from the
> Registry, we will
> still get hit with a charge back fee. Registrar's can
> significantly reduce
> the amount of fraud by simply implementing some precautionary
> measures.
> Here are some ideas I would like to share that have worked
> well for us.
>
> 1) Use AVS to ensure the billing contact information matches
> what is on
> file with the bank. Once you have verified the address you
> can then get a
> geo-location based on the IP address of the system being used
> to submit the
> order and compare the two. So, if someone is in India,
> trying to use the
> credit card of someone based in the US, it will be rejected. After we
> implemented this strategy our fraud level dropped substantially.
>
> 2)Don't give fraudsters the opportunity to try credit cards until one
> finally works. If the client uses 10 different credit cards
> which are being
> declined then that order should be flagged for review or denied.
>
> 3)Keep a local DB of e-mails, credit cards numbers, and IP
> addresses of
> fraud that can then be used to spot fraudulent transactions
> in the future.
> We have found it best to pend the transaction then void it
> out, otherwise
> they will keep trying things.
>
> These are strategies that have worked for us, so I wanted to
> share these
> ideas with you all.
>
>
> Regards,
> Doktor Gurson
>
>
> At 09:48 PM 2/24/2003, Tim Ruiz wrote:
> >Bhavin,
> >
> >What I was trying to point out is that we can't have our
> cake and eat
> >it too. If the registries provide a refund option then I believe
> >registrars will be expected to delete any name that payment
> is charged
> >back for. Your suggestion that it be the registrar's choice
> is having
> >our cake and eating it too. I don't think we'll get away
> with that for
> >long.
> >
> >In fact, if we discover fraud on day 70 I think there may be
> those who
> >will expect those domains to be deleted as well. I think we need to
> >have some foresight about the result of what we are asking, and be
> >willing to accept consequences.
> >
> >Also, I don't think the registries can help us "combat
> fraud." What we
> >are asking them to do is to assume some of the risk of fraud while
> >relying on us to combat it. Trying to see their side of it, I could
> >understand their hesitation since a refund policy could easily be
> >abused and possibly result in some registrars being less vigilant.
> >
> >Don't get me wrong, I am on board with the general idea
> here. I think
> >the best course of action at this point would be to prepare a letter
> >detailing our concerns, and perhaps include some of the
> ideas we have
> >had thus far, and ask VeriSign (and perhaps the other gTLD
> registries)
> >for a meeting to discuss the issue.
> >
> >Tim
> >
> > -------- Original Message --------
> > Subject: [registrars] DECENT SIZE ISSUE: Credit Card
> Proposal - SUMMARY
> > From: "Bhavin Turakhia" <bhavin.t@directi.com>
> > Date: Mon, February 24, 2003 9:53 pm
> > To: "'Registrar Constituency'" <registrars@dnso.org>
> >
> >
> > There have already been 48 + 27 posts on this topic in
> the past week
> > (previously under the post Canceling renewals and then
> under Credit
> > Card Proposal). I mention this for CHUCK's benefit :) -
> indeed this
> > issue is significant and should be treated so by the
> Registry :). Here
> > are what I believe the final summary points
> >
> > * Registrars are in consensus that fraud exists, and
> currently the
> > Registrars are bearing full brunt of the same
> >
> > * Registrars are in consensus, that Registry should
> assist us to a
> > certain feasible and practical extent to combat this fraud
> >
> > * Registrars with a large number of resellers agree that
> this is a
> > problem that is faced by their entire Reseller chain
> too. (I know many
> > of our resellers who primarily stopped accepting credit
> card payments
> > for this very reason. Infact we have a Credit Car payment gateway
> > option built into our API for resellers unlike tucows. I
> know many
> > resellers who turned this option off after facing
> significant fraud
> > losses due to a SINGLE transaction). In that sense actually
> > experiences of registrars who are small, as well as
> registrars who
> > have a large number of
> > resellers may shed more light on the subject. Especially
> > registrars/resellers whose selling price allows an extremely low
> > margin
> >
> > POSSIBLE SOLUTIONS I
> > ====================
> > Michael suggested that the Registry refund ALL BUT ONE
> domain year on
> > deletion. This was infact suggested by me as a solution
> long ago too,
> > however I have since changed that from a while because
> of the fraud
> > patterns that I have been through since a long tie now.
> Lets look at
> > the issues with this solution -
> >
> > * Firstly and most importantly it does not help in fraud
> transactions
> > which consist of MANY ONE YEAR Registrations together. From data
> > accumulated in the past 4 months, almost 65% of fraudulent
> > transactions are of this type. I need a bigger data set
> to get more
> > accurate
> > statistics. There is a reason for this however.
> Typically the people
> > who are transacting fraudulently for domain names (and I
> can guarantee
> > tha most of these fraudsters are from indonesia ;) ) are
> doing so NOT
> > to buy a domain name, but to verify a card and see if it works. A
> > domain name is a very easy and tiny amount transaction
> that can be
> > performed which gives immediate results of verification.
> If someone
> > obtains a fraudulent card on the itnernet, the easiest
> way to check it
> > is to go to a low cost registrar and register a domain name. Its
> > instant verification for them. This is why most of these kinds of
> > fraudsters will register many 1 year domain names with
> many different
> > card to check them out.
> >
> > * Secondly, if this were an appropriate solution, the
> Registry really
> > has to do nothing. The registrar can simply register the
> name for a
> > single year and explain to the customer that the balance
> yewars will
> > be added to the account after a credit check is
> performed within 60
> > days. Though this solution was suggested by chuck, and while I
> > personally feel it is not the right approach, because
> every registrar
> > will make a
> > different implementation out of it thus confusing the customer.
> > However Chuck claims that if this proposal is put forward, the
> > Registry will come back saying this is handelable at the
> Registrar
> > side
> >
> >
> > POSSIBLE SOLUTIONS II
> > =====================
> > I suggested that if the domain name is deleted within 60
> days a FULL
> > REFUND ought to be made, alongwith charging a fixed fee for the
> > deletion. Many people have mixed up this solution of
> mine with their
> > own aspects, thus confusing the entire issue here. So I
> am specifying
> > what my solution exactly entails and why
> >
> > * Firstly the 60 day figure was not chosen arbitrarily.
> As of today a
> > transfer of a domain name is not allowed within 60 days.
> 60 days are
> > typically enuf tyo do a credit check, and 950%+ of
> chargebacks occur
> > within 60 days. 5 days (which is the current period) is
> in most cases
> > not even enough to CALL A CUSTOMER up if required.
> >
> > * Secondly the amount was chosen with care too. If the
> domain name is
> > deleted within 30 days (after 5 days) the registry
> should charge a fee
> > of $1, and if deleted within 60 days it should charge a
> fee of $2.
> > Anything more than this would be inappropriate as this
> fee has been
> > calculated as TWICE the normal pro-rata fee that that
> period should
> > apply. Michael came up with an alternative figure of $3, where he
> > states that $2 should be given as an extra fee to verisign for a
> > manual process of deletion. Michael what you need to
> understand here
> > is we are not asking verisign to change anything or do
> anything extra.
> > By changing the deletion grace period logic from 5 to 60
> days, there
> > is NO RECURRING EXTRA WORK BURDEN on Verisign after it
> is implemented.
> > Therefore a fee of TWICE THE standard PRO-RATA value
> more than covers
> > their cost. After all I doubt verisign intends to make profits on
> > registrar chargebacks. At this fee they are already
> making twice the
> > standard amount on the DNS entry in the registry.
> >
> > * Thirdly, Tim stated, that a policy like this would
> then require a
> > registrar to delete a name. I do not know where this
> stems up from. My
> > concept is quite simple actually. I am simply extending
> the deletion
> > grace period to the same period as the registry has put
> for the ADD
> > TRANSFER BLOCK. If a Registrar deletes a name between
> this time he
> > gets a refund less the one-off charge. If the registrar DOES NOT
> > delete the name, he gets to keep it and do whatever he
> chooses to.
> >
> >
> > Basically to me, SOLUTION II seems more feasible,
> because it allows us
> > to prevent 95% of the fraud at a low cost to us and
> practical/feasible
> > for the Registry.
> >
> > Best Regards
> > Bhavin Turakhia
> > Founder, CEO & Chairman
> > Directi
> > ----------------------------
> > Tel: 91-22-26370256 (4 lines)
> > Fax: 91-22-26370255
> > http://www.directi.com
> > ----------------------------
>
>
>
<<<
Chronological Index
>>> <<<
Thread Index
>>>
|