There are two main types of fraud techniques that we have observed in membership websites. Fraudsters can perform individual purchases with stolen credit card details, or test misappropriated credit cards in bulk, either manually or with sophisticated automation.
During the checkout process, our integration with Stripe supports 3DS verification for European end-users and zip/postal code verification for the US, Canada, and the UK. We do not collect billing address information as of now.
Before we request the payment provider to perform any charge, we ask them to store the payment method upon verification (when required). We do not store sensitive payment method details, except for the last four digits of the credit card number. As part of this verification, end-users in Europe may see a charge authorization request with a value of $0,00 (or your site's currency).
NOTE: Due to the nature of subscriptions, storing the credit card is crucial for the payment provider to support recurring charges in the future.
Individual Purchases with Stolen Cards
People might misuse subscription services by purchasing online with stolen or cloned credit cards.
While the fraudster may hold possession of the physical card, this is rarer than getting the stolen details of the card electronically.
The main risk for your business is associated with disputes and chargebacks. Payment providers refund the total amount of the payment to the cardholder, and charge you a dispute fee, resulting in a loss of revenue for your business.
Bulk Test of Stolen Cards
Due to the typically low cost of subscription services, especially those with trial periods, fraudsters will test multiple cards on one site to see if they are valid before making a fraudulent payment on another site. However, card testers target websites with editable amount fields, such as gift card and donation features.
As per Stripe's recommendations, we have implemented CAPTCHA and rate-limiting charges to combat this style of fraud.
To reduce the impact of chargebacks, we recommend making your customer service contact information accessible, responding, and processing refunds timely. Some people may contact you before disputing a payment.
Set up Stripe's Radar for Fraud and implement rules to block payments from countries with high fraud activity in your store.
In Radar for Fraud, you can set limits on specific types of cards. For instance, some customers reported higher fraud activity from pre-paid credit cards.
We recommend setting the highest security level on Radar for Fraud during aggressive card testing periods and rolling it back progressively.
Enable requiring ZIP Code and CVC checks on Stripe. Businesses are not permitted to store the CVC number. Therefore, it's improbable that a fraudster obtained this information through a computer breach.
You can request a bulk deletion of spam accounts created during card testing attacks by opening a support ticket or emailing firstname.lastname@example.org.