While we at Chabad Management Solutions take credit card security very seriously and have implemented additional safeguards on our servers to detect and block criminals from testing their stolen credit cards on your forms, it is crucial that every merchant enable and configure Authorize.net's Advanced Fraud Detection Suite (AFDS) to add a basic level of protection.
There is no extra cost to use the Authorize.net AFDS.
Here is the scenario: A hacker discovers your website along with the Donate page. This is not very difficult to to. Google "Donate Chabad" and thousands of links will show up. Once your page is discovered, the hacker figures out how to submit directly to your donate page using an automated process (bot). The hacker then proceeds to submit random donations to your site, thereby testing thousands of stolen card numbers.
You're then left with the headache to void and/or refund the charges and hope to get refunded for the transaction fees. If not you don't issue refunds for transactions that did get charged, expensive charge-backs can occur.
As mentioned, CMS has implemented additional checks that detect "bot"-like activity and automatically rejects such submissions from hitting your account. Additionaly, we monitor for such activity and take immediate action to block the hacker's IP addresses.
However, hackers are always finding ways to get around security. It's best that you, the merchant, be protected with as many layers of security as possible while at the same time not making it difficult for legitimate donors to make donations.
WHAT YOU SHOULD DO
Use Authorize.net's Fraud Detection Suite. This valuable -- and now free -- tool allows you to do the following:
- Set an IP address Velocity filter that will automatically reject excessive transactions from the same IP address.
- Set daily and hourly velocity. You can set a maximum number of transactions per day/hour.
- Setup enhanced Address Verification controls, blocking the card if the address and or zip code don't match.
- Setup CVV handling, where the security code can be taken into consideration when authorizing or declining the charge.
- Regional IP Address filters. This allows you to easily block countries (think India, China, etc.)
- Amount filter. Set maximum and minimum amounts.
- Suspicious activity filter.
- and more...
Please refer to Authorize.net Support for assistance in setting up these tools.
Here is a link to the Authorize.net document with more information
WHAT TO DO IF YOU'RE UNDER ATTACK
If you are getting credit card submissions and charges though your website that you suspect are fraudulent, you must take immediate action:
- Contact our Tech Support at our urgent line (ext 2) and email firstname.lastname@example.org to let us know.
- Turn off the Instant Charge feature of your form.
- Void all transactions before they settle (at the end of the day). If already settled, issue refunds.
- Setup the Advanced Fraud Detection, as outlined above.
Do not download the fraudulent submissions to your CMS.
Once the hacker is blocked and you have the AFDS added to your account and configured, you can turn on Instant Charge on your form. We will then proceed to purge the fraudulent submissions from your account and you'll be able to resume downloading submissions as before.
Here are some articles describing why non-profits and charities in particular are the target of this type of fraud.