4

I work for a non-profit organisation and have created and online donations page. Recently this donations page has been used to validate stolen credit card details via the process known as Carding.

The way it works is that a slacker get hold of a whole bunch of credit details but doesn't know which numbers are good or not. So they go to a donations page and attempt a small donation ($5 or less) with the stolen card number. If the donations goes through then they can use the number for bigger purchases.

Carding can cost a non-profit a lot of money as most these "donations" will end being reversed and in some cases a charge back fee will be charged by the bank.

Has anyone else had experience with this? Also, what are some ways that I could stop it?

Joel Lignier
  • 148
  • 1
  • 7
  • 1
    Sorry, but this question is off-topic for Stack Overflow. – Phrogz Jan 13 '11 at 04:07
  • 2
    This is as good a question as many questions that are *not closed* such as ["stop spam"](http://stackoverflow.com/search?q=stop+spam) -- it is, after all (ignoring all the direct financial implications) just a form of spam. –  Jan 13 '11 at 04:09
  • 3
    I think closing this question would 1) undermine the fact that *developers make systems* to process electronic payments and 2) reduce exposure of developers (who may now or later deal with accepting electronic payments) of this potential "spam-pattern". Consider the [costs](http://en.wikipedia.org/wiki/Spam_%28electronic%29#General_costs) of different *types* of spam. –  Jan 13 '11 at 04:16
  • 1
    I understand that is is slightly off topic but I am looking to implement a programatical solution to this problem. – Joel Lignier Jan 13 '11 at 04:23

1 Answers1

5

Off-topic, but I'll bite:

  • Don't accept "small" donations.
  • Don't accept "many" donations from the same IP address in a "short" time span.
  • Consider buying credit card fraud insurance.

What "small," "many," and "short" means is up to you.

If you're not doing this already, consider using PayPal exclusively for accepting credit cards.

With no programming skills required, our Donate button is an easy and affordable way to start accepting donations online.

  • Discounted rates for 501(c)(3) status
  • Your donors don't even need a PayPal account
  • Accept all major credit cards

Source

What they say about fraud protection:

If there's one thing people know about PayPal, it's how seriously we take security. Behind the scenes, we work to help keep you and your donors safe from fraud.

Automatic Fraud Screening

Guard your business with our relentless fraud screens, address (AVS) and card verification (CVV2) checks, and 128-bit encryption—all included at no extra charge.

PCI & CISP Compliance

PayPal adheres to international PCI (Payment Card Industry) and CISP (Cardholder Information Security Program) standards for data protection. These standards are designed to help protect your business from fraud and loss of data. Because we handle the payment card information, you don't have to worry about meeting compliance standards yourself or storing your customers' sensitive financial information.

Full disclaimer: I have no affiliation with PayPal or any credit card company. I do not run, or have any first-hand experience with, an e-commerce site, nonprofit site, or any other web site which accepts electronic payments. I am not a lawyer. I'm just a programmer.

Matt Ball
  • 354,903
  • 100
  • 647
  • 710
  • 3
    If only I could still donate to wikileaks :-/ –  Jan 13 '11 at 04:56
  • I've ended up limiting transactions to 3 attempts from the same IP in 24 hours. Also, the minimum donation amount has been set at $10. Fingers crossed. – Joel Lignier Jan 17 '11 at 00:07