Hey guys, is there any safe way to accept CC directly to avoid fraud? I mean is it enough to have a buyer's shipping address match his billing address?

Also, is there any such thing as Bank to bank "escrow"? Someone told me too that ACH bank wire offers protection for a seller?

Hey guys, is there any safe way to accept CC directly to avoid fraud? I mean is it enough to have a buyer's shipping address match his billing address?

Also, is there any such thing as Bank to bank "escrow"? Someone told me too that ACH bank wire offers protection for a seller?

None of it is completely safe from fraud. All are basically secure, but no payment option can protect you from fraudulent clients who file false complaints, charge backs, or cancel checks.

You can use many options to take credit cards from your own bank to solutions like Pay Pal, Authorize.net. Square and so on.

You can use Escrow.com for money transfers. It's a step by step process where both parties agree at different stages that the transaction is going as planned before funds are released or sent.

This question would be easier to answer if we knew how you will be collecting payments? On a website? Direct invoicing? Mobile? How do you need to use it?

We have a merchant account setup with paypal and we used to have our own virtual terminal to accepts CC directly but with our previous business due to purchases from stolen cards we stopped accepting CC directly so it's protection against receiving payment from stolen cards is the issue. Some folks want to pay us by direct CC and not via Paypal and others wish to pay via Bank to bank but they want security for their money so I am looking into options for them where bank to bank is concerned. They don't want Letter of Credit because that takes way too long.

This questions would be easier to answer if we knew how you will be collecting payments? On a website? Direct invoicing? Mobile? How do you need to use it?

I agree with this. Also, after a while you get a feel for fraudulent purchases. I've gone as far as not send product for a month until I'm sure the card is good on a suspect purchase.

This question would be easier to answer if we knew how you will be collecting payments? On a website? Direct invoicing? Mobile? How do you need to use it?

Please let me know if I haven't answered the above question is my last post?

Please let me know if I haven't answered the above question is my last post?

Kind of simplify it for us. Is this a brick and mortar store, ecommerce, or are you proving services? What kind of services/average transaction amount?
Are you physically running cards on your own terminal or sending invoices?

Ecommerce wholesaling electronics. Different products selling for between 400-1500. We don't use the terminal anymore since the fraudulent transactions with the previous business but since some people are now asking for it this is why we are looking into this again.

Ecommerce wholesaling electronics. Different products selling for between 400-1500. We don't use the terminal anymore since the fraudulent transactions with the previous business but since some people are now asking for it this is why we are looking into this again.
First things first, I wouldn't take credit cards over the phone for an eCommerce site. This is the easiest way to get defrauded, ESPECIALLY with electronics and international customers Most knowledgeable people who shop online trust the security of known online payment systems more than they trust giving their number over the phone. Also, if necessary you can trace an online transaction back to an IP address.

I can't say this loud enough. DO NOT take credit cards over the phone for ecommerce transactions. There is A LOT of fraud going around right now. I get suspicious calls from people asking if I take CC's over the phone. When I say no it's a Pay Pal invoice which is more secure, they want to insist that they be able to pay the least secure way and give me a card number over the phone. This is clearly an attempt to pull some kind of fraud. I've gotten some warnings from Pay Pal and Angie's List about it.

If there's a problem using your site or the check out process needs to be simplified, then work on that. Don't compensate by taking cards manually.
Also Pay Pal isn't the only option you can offer. You can offer multiple payment processing options. I know a lot of people still don't comprehend that you don't need a Pay Pal account to pay through Pay Pal, so sometimes having more than one option helps.

My advice is to make sure your check out process is efficient, and that doing business on your site is easy. Fine tune your ecommerce operation so that it works seamlessly.

For people who insist of paying by giving you a credit card manually, suggest escrow.com. If they are against that then they are up to something and I wouldn't trust doing business with them.

First things first, I wouldn't take credit cards over the phone for an eCommerce site. This is the easiest way to get defrauded, ESPECIALLY with electronics and international customers Most knowledgeable people who shop online trust the security of known online payment systems more than they trust giving their number over the phone. Also, if necessary you can trace an online transaction back to an IP address.

I can't say this loud enough. DO NOT take credit cards over the phone for ecommerce transactions. There is A LOT of fraud going around right now. I get suspicious calls from people asking if I take CC's over the phone. When I say no it's a Pay Pal invoice which is more secure, they want to insist that they be able to pay the least secure way and give me a card number over the phone. This is clearly an attempt to pull some kind of fraud. I've gotten some warnings from Pay Pal and Angie's List about it.

If there's a problem using your site or the check out process needs to be simplified, then work on that. Don't compensate by taking cards manually.
Also Pay Pal isn't the only option you can offer. You can offer multiple payment processing options. I know a lot of people still don't comprehend that you don't need a Pay Pal account to pay through Pay Pal, so sometimes having more than one option helps.

My advice is to make sure your check out process is efficient, and that doing business on your site is easy. Fine tune your ecommerce operation so that it works seamlessly.

For people who insist of paying by giving you a credit card manually, suggest escrow.com. If they are against that then they are up to something and I wouldn't trust doing business with them.

This is really industry dependent. I take credit cards over the phone all day long, but I require that customer email me with the ship to and bill to info and state in the email that this is an order. I don't really know if this constitutes a legal agreement, but it certainly is a step in that direction. I just plain don't have that much fraud and it's usually obvious in the email. I've been at this a long time though.

For example, I have taken international cc orders when the email is shell.com. If it has bad English, is in all caps, or doesn't use terminology that a purchasing agent would use I delete it.

I require that customer email me with the ship to and bill to info and state in the email that this is an order.

This is basically what I need to know, is there any chance of using a stolen card when a customer provides ship and bill info which matches? Or what else can I do to know if the card belongs to that person?

This is really industry dependent.

I think Bill makes a good point here. One of the things that has surprised me on this forum is the concern many have over accepting credit cards. We probably do 1000+ credit and debit card transactions a year totaling a million or so and have virtually no problems. One factor may be that what we sell is pretty specialized and not something that would be easy to scam us to get and list on Craig's list to get cash. We are mostly selling to landscapers, contractors, cities, golf courses and schools rather than the general public. If I was selling iPads then there might be more risk.

I can only think of one problem we had last year which was a guy who wanted to return one of our machines with no good reason. We told him that we would refund 100% of the selling price less freight and he had paid with a credit card. We mailed him a check for a full refund which he cashed. A month later we got a notice from the credit card company that he had claimed he had returned the merchandise and we never issued a refund to his credit card. We sent a copy of the check and the matter was dropped. The only other issue we run into is when they use a debit card for a large transaction we may have to take out the money in part each day over several days because of a limit.

It has been virtually trouble free for us. We do begrudgingly take PayPal when necessary but usually it is the mainstream credit cards and once in a long while Discover.

This is basically what I need to know, is there any chance of using a stolen card when a customer provides ship and bill info which matches? Or what else can I do to know if the card belongs to that person?

Nothing is 100%. Identity thieves typically have all the information they need. When stolen card numbers are sold they typically include all of the identifying information that accompanies it. If they can get your card number, getting your address is pretty easy in comparison.

All you can do is what is required by the credit card companies to insure that you are following the rules. You can't stop credit card fraud.

In a perfect world you'd be in front of the person and can ask for multiple forms of ID, but even brick and mortar merchants don't do that.

In my opinion the risk is higher when taking the card over the phone. In your industry. Not for everyone. But for you, selling electronics, you're one of the main targets of credit card fraud.

Respectfully Bill is in a different industry. Not sure what he sells, but it's probably not something that is big on the black market like electronics are.

If it's completely avoidable because you just have that many people calling in orders, then speak with your card processor and clearly understand what information they require so that you are covered. That's all you can do. You can't stop other people from committing fraud.

I still say in these situations where your constantly worried about fraud, your best option is escrow. Thieves won't want to go through the trouble of that much verification, and honest people will respect the safety of using it.

I can't imagine why you would have so many people wanting to call in credit card numbers if your eCommerce site is set up correctly. It's just not natural. I'm suspicious about why that is. But then again I'm suspicious of abnormal financial transactions.

What problem are people having shopping on your site?

By the way, what country are you in?
Where are the people who want to give credit cards over the phone typically located?
What is their reasoning for not just using the site to place an order?

I can't imagine why you would have so many people wanting to call in credit card numbers if your eCommerce site is set up correctly. It's just not natural. I'm suspicious about why that is. What problem are people having shopping online on your site?

By the way, what country are you in?
Where are the people who want to give credit cards over the phone typically located?
What is their reasoning for not just using the site to place an order?

After all of the fraudulent transactions last year, we had deactivated the ecommerce terminal, since we are are now starting new again, we will reactivate. I have begun to do some basic marketing which is why the emails are coming in with the CC option request, seems no one wants to do paypal. We are in NY, the requests are coming from both in and out of the US.

After all of the fraudulent transactions last year, we had deactivated the ecommerce terminal, since we are are now starting new again, we will reactivate. I have begun to do some basic marketing which is why the emails are coming in with the CC option request, seems no one wants to do paypal. We are in NY, the requests are coming from both in and out of the US.
Ah. I see. It sounds like there was a hole in the process and you were targeted by a group that knew how to exploit it. That makes a lot more sense. Online shopping is generally pretty safe, but thieves are always looking for an opening and smaller operations get hit the most. Once they find a lick ( an easy exploit) they keep going back until you close it.

I don't know how you were handling payments before, but I'd stick with the leaders in the industry for online payment processing..Google, Amazon, and Pay Pal have it down to a science. People balk at the fees, but the tools, security and support for merchants are worth it to me.

I'd say it's best to speak with a specialist from your processing company to determine what the problem was before and how to correct it.

We were using authorize.net and they could do nothing to prevent people purchasing with stolen cards.

We were using authorize.net and they could do nothing to prevent people purchasing with stolen cards.

There's not really much they can do if all of the information is correct and the card hasn't been reported stolen.
Talk to some other processors like the ones I named and see what their policies are and what protections they have in place for you.
I would think the biggest issue is whether or not they have fraud investigation or insurance and that you're not the one eating the cost or losing the money.

A lot of my customers have corporate cards and they don't know the correct bill to for the card. My cc processor allows me to take the card with the wrong address information and I do. The code on the back and expiration date are more important IMO.

Beyond that, after a while you just get a feel for it as I said above. Honest people walk the walk and talk the talk.

Harold, there used to be a site that would tell you what bank the card was issued from. That is now illegal, so there is no way other than waiting to see if the card is stolen unless it is declined by your cc processor. Even then, it may just be declined for some other reason.

I did see a guy take a $60k order once spread across several cards. It was a no brainer though that it was fraud. I don't know why the guy wasn't fired.

I would think the biggest issue is whether or not they have fraud investigation or insurance and that you're not the one eating the cost or losing the money.

That's a great suggestion, I will look into if our processor offers insurance and will get back to you on this, thanks!

I did see a guy take a $60k order once spread across several cards. It was a no brainer though that it was fraud. I don't know why the guy wasn't fired.

We have had a lot of orders where they spread a large amount (not as large as yours though) over a few credit cards. Most credit cards other than AMEX have credit limits. I never gave it a second thought and was wondering why you seemed to feel it was an obvious sign of fraud?

Everyone seems to be a bit leery of taking credit card orders over the phone. We probably have about 80% of our credit card orders that come in as phone orders. For us the machines we make are mostly in the $ 4,000 to $ 20,000 range and people feel more comfortable calling and talking to someone about the units, freight, delivery time and so forth. About 15% of our credit card sales are online. Mostly those are parts or supplies. The remaining 5% are walk ins. We do pay a bit higher fee because we are not swiping the cards (that is an odd term if you think about it, "swiping the cards").

I don't think any processor offers insurance for fraudulent transactions, insurance will need to be done via business insurance. I am dealing with a guy right now in CA, his business title shows as .LLC, the tax id he gave shows P5067.... Looks like he does not have an EIN or Articles of Incorporation. I have never seen a tax ID start with a letter or have only 8 numbers?

Swiping cards :)

If your purchases are in that price range and domestic, purchasing people will act like purchasing people and engineers will act like engineers. They will know the proper abbreviations for terms in their industry like RFQ or PO. It seems like you are talking to most people except for the piece part orders. How much fraud are you actually having?

When I see an email that is in all caps or talk to a professional who doesn't recognize the above terms it's an immediate red flag. I also go to their domain frequently to see if they are a real company. Even a lousy website with a bunch of Flash videos says that they are a real company. Real companies don't use stolen cc. If it's an expensive website, even if it sucks, they are probably real.

I also sell to consumers who speak bad English. They typically buy a less expensive product though, so my risk is limited. I don't recall ever being screwed over by one of them. Bubba in LA. I even get people who have their wives call me because they don't know how to use a computer.

The ones I walk away from are the huge order. But they are always terms orders and I get underbid. I'm not going to quote a $100k order on a 2% markup. The risk is to high.

So are you having a lot of fraudulent purchases?

I don't think any processor offers insurance for fraudulent transactions, insurance will need to be done via business insurance. I am dealing with a guy right now in CA, his business title shows as .LLC, the tax id he gave shows P5067.... Looks like he does not have an EIN or Articles of Incorporation. I have never seen a tax ID start with a letter or have only 8 numbers?

I don't look at EIN numbers, but this is a good example of looking for things out of the norm. Good poste mikehende.

Well, Bill I don't get any at all. That is why I was a bit surprised that this was a big issue for many people. I do get emails from Nigeria wanting to buy our product with pretty much cut and paste generic info which I just delete but we haven't had a bit of problem.

Well, Bill I don't get any at all. That is why I was a bit surprised that this was a big issue for many people. I do get emails from Nigeria wanting to buy our product with pretty much cut and paste generic info which I just delete but we haven't had a bit of problem.

exactly ------------------

I don't think any processor offers insurance for fraudulent transactions, insurance will need to be done via business insurance.

Maybe insurance was the wrong word to use. Different companies have different buyer and seller protection rules for fraudulent transactions. They are generally pretty cut and dry for physical products, Services not so much.

Even if a stolen credit card is used, you are shipping to a physical address which can be investigated.

Another way you can stop people in their tracks is to check their IP address. If they're giving you a New York address but their IP says they're in Russian, ask them about it and see what the response is.

Sometimes you can also Google search names, usernames, and email addresses and something may pop up that others who've been scammed before post online.
Free email addresses are used by scammers all of the time, but a lot of honest people use them too so that's not always a determiner. But scammers will use the same email address multiple times before the burn it. The lazy ones will use the same one for weeks or months.

Sometimes you can also Google search names, usernames, and email addresses and something may pop up that others who've been scammed before post online.
Free email addresses are used by scammers all of the time, but a lot of honest people use them too so that's not always a determiner. But scammers will use the same email address multiple times before the burn it. The lazy ones will use the same one for weeks or months.

This is good advice. It used to be that the Nigerian scam emails always used Yahoo free email addresses. No idea why. A lot of B2B clients use gmail today. Some use other free email services but mostly gmail. I think gmail is perceived as more professional. Also, workers get frustrated with over zealous IT people stripping off attachments and html. This is a good argument to be mobile device compliant. I certainly have had customers ask me to send quotes or pdf's to their free account or mobile device because it took to long to get through corporate servers or it ended up in server spam or without attachments.

Frequently, I will have a customer send me an email to respond to to avoid the above issues. If you are responding to a customer email it is less likely to end up in server spam. You also are more likely to get a real email than a free email. This will usually get you the company domain so you can research them a bit.

What I don't like is customers responding to website form emails. I have one on my site which gets a lot of traffic. The problem is I don't get a lot of the information than if someone replies to a mailto with Outlook. Usually with Outlook or whatever email program they have set up on their computer, you will end up with a signature already attached. With a form, they have to manually fill this info out and they rarely do. I at least want their company name, name, phone, and direct email.

Also, at least in my case, a form email will always have the same subject. I'm hesitant to mark these as spam for fear that my spam filter will send them all to junk. I don't know if this would happen or not.

I have a serious pet peeve and I've expressed it many times, I don't take businesses who communicate with me via free email addresses seriously and I am immediately suspicious of them until I know better. I almost always delete emails from free accounts with any kind of business in the subject line. 99% of them are spammers. Block one address and they spam you again from a completely different free email address.

A personal or branded email is just instantly credible to me.

Very few will go through the trouble of buying a domain for scam emails because the registration is much harder, and it's easier to have them blacklisted. You can't blacklist gmail.com.

On a lighter note, a few years back I went along with a Nigerian email that I was sure was fraud. I told them the product had shipped and played them for a month. At the end, I told them that it was sitting in customs but that I stopped the processing in customs because one of the several credit cards they were using wouldn't go through. They gave me another cc number.

After that, they eventually threatened to call the FBI for fraud in my part. I responded by saying 'we are the FBI and we've been watching you' and I never heard from them again.

Of course I never processed a credit card or shipped product.

I have a serious pet peeve and I've expressed it many times, I don't take businesses who communicate with me via free email addresses seriously and I am immediately suspicious of them until I know better. I almost always delete emails from free accounts with any kind of business in the subject line. 99% of them are spammers. Block one address and they spam you again from a completely different free email address.

A personal or branded email is just instantly credible to me.

Very few will go through the trouble of buying a domain for scam emails because the registration is much harder, and it's easier to have them blacklisted. You can't blacklist gmail.com.

You aren't really contradicting what I said. We are in very different industries and the triggers are going to be different for fraud or bad clients. Also, we are out of desperation mode. We are both making money and I'm pretty sure we both can fill a complete or extended workday with the business we have.

The same isn't true for someone just starting out. You need to find business and you need to examine every opportunity. If you are young or desperate, it may be worth the risk in taking a questionable order. I certainly have over the years.

Here's the anatomy of an actual credit card scam. I figure since we're talking about it, may as well post it up so that others can find it in search and don't get taken.

A few months back I reported a scammer that was going around one of the review sites that I'm on. They're back and they contacted me again 2 days ago, obviously forgetting that they tried to scam me 3 months ago.

What they do is contact people for web design services. When you respond they give you the details of what they want, tell you they have a $4k-$8k budget and are eager to get started right away.

They portray themselves as an established business, yet are contacting you with a gmail address - Warning sign #1 .
They spell their own name (Loiuse) incorrectly- Warning sign #2

This is from the actual email that I got from them yesterday. It's the same email as 3 months ago, they just changed TX to TN:


Thanks for your swift response and i will be very happy to work with you..

Here is the job details

i have small scale business which i want to turn into large scale business now it located in TN and the company is based on importing and exporting of Agriculture products such as Kola Nut, Gacillia Nut and Cocoa so i need a best of the best layout design for it. Can you handle that for me ?. so i need you to check out this site but i need something more perfect than this if its possible .[removed] should include hosting and i want the same page as the site i gave you to check out and i have a private project consultant, he has the text content and the logos for the site.
Note:
1. I want the same number of pages with the example site i gave you to check excluding videos and blogs.
2. I want only English language
3. I don't have a domain yet but i want the domain name as [removed]
4. you will be updating the site for me.
5. i will be proving the images, logos and content for the site.
6. i want the site up and running before ending of next month.
7. My budget is $4000 to $8000


Trying to entice you with budget on the first email. Warning sign #3

Here's where they are setting you up for the CC scam


Kindly get back to me with:
(1) an estimate
(2) your cell phone number
(3) And will like to know if you are the owner ??
(4) Let me know if you can run my credit card mauanlly
Thanks and hope to read from you ASAP

Warmest Regards

"And will like to know if you are the owner ??"
"Let me know if you can run my credit card mauanlly"- warning sign #4 and #5 and final warning.

I already played with them back in March, so I know the scam.

First of all, no matter what kind of proposal you send, no matter the price..they agree and want to get started right away.
The reason they're asking to run the card manually is because they're going to give you a sob story about how their graphic designer is not set up to accept credit cards.

Here's the actual response from when I communicated with them in March:


Thanks for your response, i am okay with the estimate and i wanna proceed so i will be depositing $3000 using credit card so work can commence ASAP, i understand the content for this site would be needed so as for the job to commence so regarding the content i will need a Lil favor from you and the reason i need this favor from you is because the consultant does not have the facility to charge credit cards and i also am presently in the hospital for surgery so i will be glad if you can help me out with this favor.

The favor i need from you is. i would give you my card info's to charge for $5600. so $3000 would be a deposit payment for my website design and the remaining $2500 you would help me send it to the project consultant that has the text content and the logo for my website so once he has the $2500 he would send the text content and logo needed for my website to you also the funds would be sent to him via cash deposit into his account, sending of funds would be after funds clears into your account and also $100tip as form of Gratitude towards the Job.


Of course I now know it's a scam, so here's my response:


Hi Loiuse,
Sorry for the delay, I got swamped yesterday.
That sounds great, looking forward to getting started.

Send me your Credit card number and please include:


Your Full Name
Your phone number
The billing address for the credit card
Name of your company
Expiration date
3 digit code on the back.

Once the charge has cleared, I’ll send you your confirmation number.
Also tell me which hospital you’re in so that I can send a get well card J

And then send me all the information for your consultant so that I may transfer the funds, including:



Full Name
Full address
Name of Bank
Routing Number
The name of their business
Their phone number

I assume since you’re in Texas this will all be American information, local phone numbers, addresses and will be an American bank, correct?
As soon as you get this information to me, we can get started.
Thanks again, looking forward to working with you.


And I never heard from them again, until they popped up again 2 days ago starting all over again.

Here is a detailed answer for you. Few years back merchant processors started forcing merchants to become PCI-DSS compliant. The fee is approximately $100 a year and you have no choice but to sign up. Failure to be PCI compliant, will result in monthly fees. Approx $10 a month if you don't keep credit card transactions secure. I deal with a lot of businesses that take credit card payments via client filling out a paper form or over the phone, which is not PCI-DSS compliant. My strongest suggestion is to get an invoicing service and a payment gateway such as authorize.net, which allows you to send a direct invoice to your client. With a gateway, they give you a million options to secure the transaction. For instance, auto-verify address and fraud detection services, which are included with a gateway for free. Depending on how much you process, Square and PayPal does it well but if you process about $10k or more you'll need an actual merchant account because Square and PayPal are expensive compared to an actual merchant account.