|
E-Commerce
- Shopping Carts
Why are xmanhosting
shopping carts superior to other shopping cart software
providers?
There is a clear difference between the xmanhosting
e-commerce experience and other shopping cart providers:
- We don’t just sell you the software and run! We
totally customise your shopping cart to your needs.
- We are quite inexpensive compared to other carts.
- Lastly, xmanhosting is a professional e-commerce
company specialising in shopping cart software development
- we provide a total solution to online selling.
xmanhosting Shopping Cart Advantages:
- FREE tech support services by e-mail.
- Completely customisable design from the admin panel
- Advanced and ever-improving technology with free
upgrades
- SSL security
- Inexpensive price
back to the top
Can I use my xmanhosting shopping cart online
store as a stand-alone web site?
Yes. xmanhosting shopping carts are just as powerful
as a stand-alone site.
back to the top
Will I convert more sales with my xmanhosting
shopping cart?
Definitely! Our unique shopping cart layout makes it
easy for your customers to reach their desired product
destinations. This is important because studies have
shown if users can't find what they are looking for
(in 12-15 seconds or 3 or less clicks)...they click
to the next site in the search engine.
xmanhosting's shopping cart software enables customers
to add, edit and delete products (from the shopping
cart) from every page.
back to the top
Will I have my own domain name or will it be
a part of xmanhosting shopping cart?
Your store belongs to you with your own products. xmanhosting
hosts your store on your own domain address. Your store
address will be something like: www.yourdomain.com,
or www.yourdomain.com/shop . Your store will NOT be
an extension of the xmanhosting domain.
back to the top
Can I sell downloadable goods in my shopping
cart?
Yes, xmanhosting shopping carts can sell digital or
downloadable products.
Some examples of these are:
back to the top
What are the costs to start an xmanhosting
online store?
xmanhosting shopping cart software offers several affordable
payment plans to accommodate any size business. Click
here to view our
pricing plans. Plans provide you with store set up,
FREE tech support, membership to a 2Checkout merchant
account, SSL security and all future upgrades to the
software for free.
back to the top
How do I start selling online?
Just signup here,
we will set up your new, fully customised online store
for you.
back to the top
Will it take long to setup my store?
Depending on the size of your store, it will take us
between 2-3 weeks to fully customise your store so that
you are satisfied with your purchase.
back to the top
How do I modify my xmanhosting shopping cart
after my initial setup?
You will be able to modify your cart through your very
own admin area.
back to the top
Do I need any other tools to get started?
No. xmanhostin's shopping cart software is complete
and controlled by you from a web-based control panel.
You have the ability to control your e-business from
any computer connected to the Internet, anywhere in
the world. There are no installations, plug-ins or downloads.
back to the top
Who will be hosting my store?
Your shopping cart will be on xmanhosting’s extremely
reliable dedicated servers. When you're with xmanhosting
your store will have a guaranteed 99.5% uptime.
back to the top
Can I customise my online stores design and
content?
Not a problem! In your admin area you can modify every
aspect from site colours and fonts to button designs
and curved page edges. Your store can change products,
categories, shipping methods, discounts, payment types,
product descriptions and much, much more. xmanhosting’s
software enables you to add, edit and delete at will.
This can be done from any computer connected to the
Internet in the world! No software to install.
back to the top
Is there any HTML knowledge required to set
up my Store?
You don't need any HTML knowledge to use xmanhosting's
shopping carts. You do not need to understand HTML or
other programming languages to build or maintain your
store.
back to the top
I don't have
a merchant account yet. Does xmanhosting's shopping
carts require this to start selling?
Your shopping cart comes with your very own merchant
account from 2Checkout.
back to the top
What are the security features for transactions?
Our shopping carts provides 128 bit Secure Socket Layer
protection free of charge for credit card purchases
via your very own 2Checkout merchant account. This is
the highest industry-standard encryption to transmit
credit card information securely on its way from the
shopper to our computers, and from our computers to
you, the merchant.
back to the top
Does xmanhosting offer their shopping cart
services world wide?
Yes, xmanhosting provides our shopping carts to people
worldwide.
back to the top
What browsers/computers can I use to access
my store admin and view my storefront?
You can access your store's admin panel and storefront
using both a Macintosh and PC using any of the main
web browsers where there is an internet connection.
back to the top
Eway Payment Gateway
What is Eway?
Eway is an Australian payment gateway, that
allows you to receive money online from customers when
they make purchases using your shopping cart.
back to the top
Do eWAY prices include merchant facility fees?
No, Merchant fees are additional to eWAY fees. You will
need to contact your bank to discuss merchant fees.
back to the top
How long does it take to get setup?
It will only take a couple of business working
days to set up.
back to the top
Do I need to open an Internet Merchant Facility
to use eWAY?
Yes, to process credit cards with eWAY you MUST have
an Internet Merchant Facility.
back to the top
What banks are supported?
- St George
- Bank SA
- ANZ
- Commonwealth
- NAB
- Westpac
- BankWest.
back to the top
I have a merchant facility / EFTPOS can I use
it with eWAY?
No. Contact your bank and ask them to setup an Internet
Merchant Facility.
back to the top
Do I have to change banks and close my other
accounts?
No. You can arrange to have the funds transferred FREE
of charge to any other Australian bank account. The
transfer occurs daily and does NOT incur any bank or
government charges.
back to the top
Do I have to write a business plan to open
a merchant facility?
Maybe, it depends on your bank. The following information
may be required
• General Information
• Business Information
• Business Sales Information
• Current Credit Card Processing Information
• Business Owner Information
back to the top
Can my merchant bank deposit money to an account
held in another bank eg. NAB bank?
Yes, the transfer takes place overnight. There is no
charge for the transfer. Your bank will be able to assist
with this setup.
back to the top
What is the cost of a merchant facility?
Pricing for an internet merchant facility varies for
each merchant. Please contact your bank for pricing.
back to the top
Which credit cards are accepted by eWAY?
VISA, MasterCard and Bankcard are supported with a standard
merchant facility. You can also have AMEX, Diners and
JCB.
back to the top
Am I liable for risks associated with credit
cards?
Yes, the banks treat online transactions the same as
transactions taken via the telephone. Please contact
the relevant bank for more information regarding risk
and liability.
back to the top
My client already has the facility to accept
credit cards through his shop, does this mean he will
still need a merchant account as well?
If the customer is accepting credit cards via their
shop then they have a standard merchant facility. They
will need to contact their bank and setup an "Internet
Merchant Facility" to use eWAY.
back to the top
I now have my new merchant account. What do
I do now?
Enter your detail here.
back to the top
Are there any refund limits imposed by the
bank on my merchant facility?
Yes, the banks usually impose a $1000 refund limit on
your account. If you wish to process a refund larger
than this please request the refund in your eWAY admin
area, and then ring the bank and ask them to increase
your refund limit. They will usually only do this for
a short period of time so you will need to ring eWAY
on 1800 10 65 65 and request that we process the refund
on the spot for you.
back to the top
I have an eWAY account and I have processed
some transactions. The problem is that the funds have
not appeared in my bank account.
You need to contact the bank you have your merchant
facility and make sure that they have linked to the
correct bank account. The exception to this is Westpac
where you need to provide the correct BSB and Account
number to eWAY.
Note: It can take up to 2-3 days for the money to transfer
from your merchant facility to your bank account.
back to the top
Can you help me to reconcile my bank statement
with my internet merchant facility?
All the information about your eWAY transactions can
be found in your eWAY reports. These will help you to
reconcile your bank statement. If a transaction appears
to be missing but is in your eWAY reports you will need
to contact your bank to query the transaction. Your
bank will usually settle your funds into your working
bank account once per day. This means that all your
transactions minus your refunds will be transferred
in one lump sum into your bank account.
back to the top
Can eWAY pass information so it is printed
on my merchant statement from the bank?
No.
back to the top
I think I have processed a stolen card what
should I do?
Refund the transaction, login to eWAY, view the reports
and select the transactions you wish to refund.
back to the top
Do I require an SSL certificate to use eWAY
with my shopping cart?
Yes.
back to the top
Will my customers receive an email from eWAY
when a purchase is made through my account?
By default yes. If you do not wish your customers to
receive transaction receipts from eWAY you can turn
this off in your eWAY admin area under "Email Receipts".
back to the top
Can eWAY configure the email receipt sent to
our customer?
You can add additional information to the footer of
each Email sent. If you require a more customised Email
that this you can switch off the customer Email receipt
and generate your own Email from your website.
back to the top
Once my customers click to purchase an item,
will they be transferred from my site while the order
is being processed ?
No, eWAY is processed in the background.
back to the top
Can I view current transactions?
Yes, the eWAY administration area of eWAY provides full
transaction reporting and many other services. To log into your web based eWay account, please click here, and type in your details that we have provided for you.
back to the top
Are the credit card number and expiry date
details passed from my site to eWAY?
Yes, the credit card details are passed from your site
to the eWAY website, but you must have your own SSL
certificate to encrypt the information passed.
back to the top
Can eWAY do automatic rebilling?
Yes, eWAY has released reBILL, which completely automates
recurring billing.
back to the top
Do my customers have to have a credit card
from the same bank as my merchant account?
No any valid VISA, MasterCard or Bankcard from any bank
will work. In fact the card does not even need to come
from Australia. Any valid MasterCard or VISA from any
country can be processed using eWAY. However it will
be billed in Australian dollars. On the card holders
statement the transaction will be converted to their
local currency by their credit card provider.
back to the top
Can I accept AMEX, DINERS or JBC cards?
Yes, you must apply for these separately. You need to
contact DINERS/AMEX/JBC directly. They will issue you
with a merchant number. Please supply this information
to your merchant facility bank. Then request eWAY to
setup your account for AMEX/DINERS.
back to the top
Can eWAY process credit cards from overseas?
Yes, as long as the card is a valid VISA, MasterCard
or Bankcard (AMEX or DINERS) it does not matter what
country the card holder lives in. The transaction will
be processed in Australian dollars.
back to the top
What currency will overseas customer be charged
in?
All transactions are in Australian dollars. The customers
credit card statement will show a currency conversion
to Australian dollars.
back to the top
Can you charge in other currencies?
No, at the moment the only currency is Australian dollars.
We have many merchants that do most of their business
overseas and charge in Australian dollars with no problems.
Australia is considered by overseas customers to be
a very safe place to order from due to our strict trading
laws.
back to the top
Is there a minimum OR maximum number of transactions
that can be performed each month ?
No.
back to the top
Can you place a limit on the maximum dollar
value of a transaction put through on my eWAY account?
No.
back to the top
Can I process mail, fax and email credit card
payments?
Yes, we provide a manual payment service in which you
can enter your customer details yourself. You need to
login to eWAY admin area to process manual transactions.
back to the top
How do I process a refund using eWAY?
You simply need to log in to your eWAY admin area and
find the transaction you wish to refund and click on
the refund button. The refunds will be processed within
48 hours manually by eWAY staff. The cost of this transaction
is the same as a normal credit transaction.
back to the top
I have a refund pending that I need to cancel.
How do I do this?
As long as the refund has not been processed by eWAY
you can cancel it in your eWAY admin area under "Pending
Refunds".
back to the top
I need to refund a customer but their credit
card has now expired. How do I do this?
You will need to obtain the new expiry date from the
customer and email it to support@eway.com.au with the
subject "expired card". eWAY will then update
the transaction and process the refund. There is currently
no charge for this update.
back to the top
I need to refund a customer more than the amount
of the original transaction, can this be done?
No, for security reasons you cannot refund a transaction
for more than the original amount.
back to the top
I need to refund a transaction for less than
the original amount. Can this be done?
Yes, you can refund a partial amount. Simply amend the
amount when you request the refund in your eWAY admin
area.
back to the top
I need to refund a transaction that has already
had a partial refund. Can this be done?
No, for security reasons it is not possible to refund
a transaction twice.
back to the top
Does eWAY support pre-authorisation of credit
card transaction, ie so I can put a hold on a transaction
and process it later?
No, Due to the large amount of issues for you and your
customers in doing this eWay does not offer a pre-authorisation
transactions and would recommend against it.
back to the top
I am getting an error message processing a
particular transaction. What does the error message
mean?
For full listings of common bank error messages please
see "Banking Documentation" under the eWay
support page. Alternatively you can find a similar listing
in your eWAY admin area. However its best if you contact
your bank as the message is from them and noteWAY.
back to the top
I am concerned about the risk of fraud through
my website, does eWAY have any suggestions on reducing
my risk?
Yes, please have a look at "Fraud Protection"
on the eWay support page. Please scroll down to the
bottom of that page.
back to the top
Maxmind
What is Maxmind?
Maxmind is a third party credit card anti-fraud
system that allows you to greatly reduce improper purchases,
saving you time and money.
back to the top
Why do I need Maxmind?
Purchases using stolen credit card numbers can
not only result in costly, and time consuming chargebacks,
but can also lead to unrecoverable products sent out
to "dodgy" clients.
back to the top
How much does Maxmind cost?
For the majority of businesses, the $5(US)/month
Standard minFraud Service will be more than sufficient.
A one time $199 set up fee is charged by xmanhosting
to integrate Maxmind into your shopping cart.
back to the top
How can I have Maxmind set up
on my shopping cart?
Yes. If you already have a shopping cart with
us, we can set that up for you. Otherwise,
Maxmind comes with the Gold E-Commerce Plan found here.
back to the top
What information does maxmind
output about the credit card purchase?
The following information is provided from
each credit card purchase:
Geographical IP address location
checking
- countryMatch - Whether country of IP address matches
billing address country (mismatch = higher risk)
- countryCode - Country Code of the IP address
- highRiskCountry - Whether IP address or billing
address country is in Egypt, Ghana, Indonesia, Lebanon,
Macedonia, Morocco, Nigeria, Pakistan, Romania, Serbia
and Montenegro, Ukraine, or Vietnam.
- distance rounded - Distance from IP address to Billing
Location in kilometers (large distance = higher risk)
- ip_region - Estimated State/Region of the IP address,
ISO-3166-2/FIPS 10-4 code ip_city string Estimated
City of the IP address
- ip_latitude - Estimated Latitude of the IP address
- ip_longitude - Estimated Longitude of the IP address
- ip_isp - ISP of the IP address
- ip_org - Organization of the IP address
Proxy Detection
- anonymousProxy - Whether IP address is Anonymous
Proxy (anonymous proxy = very high risk)
- proxyScore - Likelihood of IP Address being an Open
Proxy
- isTransProxy - Whether IP address is in our database
of known transparent proxy servers, returned if forwardedIP
is passed as an input.
E-mail and Login Checks
- freeMail - Whether e-mail is from free e-mail provider
(free e-mail = higher risk)
- carderEmail - Whether e-mail is in database of high
risk e-mails
- highRiskUsername - Whether username is in database
of high risk usernames
- highRiskPassword - Whether password is in database
of high risk passwords
Issuing Bank BIN Number Checks
- binMatch - Whether country of issuing bank based
on BIN number matches billing address country*
- binCountry - Country Code of the bank which issued
the credit card based on BIN number*
- binNameMatch - Whether name of issuing bank matches
inputted binName. A return value of Yes provides a
positive indication that cardholder is in possession
of credit card.*
- binName - Name of the bank which issued the credit
card based on BIN number*. Available for approximately
96% of BIN numbers.
- binPhoneMatch - Whether customer service phone number
matches inputed binPhone. A return value of Yes provides
a positive indication that cardholder is in possession
of credit card.*
- binPhone - Customer service phone number listed
on back of credit card*. Available for approximately
75% of BIN numbers. In some cases phone number returned
may be outdated.
Address and Phone Number Checks
- custPhoneInBillingLoc - Whether the customer phone
number is in the billing zip code. A return value
of Yes provides a positive indication that the phone
number listed belongs to the cardholder. A return
value of No indicates that the phone number may be
in a different area, or may not be listed in our database.
Currently we only support US Phone numbers.
- shipForward -Whether shipping address is in database
of known mail drops
- cityPostalMatch - Whether billing city and state
match zipcode. Currently available for US addresses
only.
- shipCityPostalMatch - Whether shipping city and
state match zipcode. Currently available for US addresses
only.
Risk Score
- score - Overall fraud score based on outputs listed
above. This is the original fraud score, and is based
on a simple formula. It has been replaced with riskScore
(see below), but is kept for backwards compatibility.
- explanation -A brief explanation of the score, detailing
what factors contributed to it, according to our formula
- riskScore - New fraud score representing the estimated
probability that the order is fraud, based off of
analysis of past minFraud transactions. Requires an
upgrade for clients who signed up before February
2007.
Account Information
- queriesRemaining - Number of queries remaining in
your account, can be used to alert you when you may
need to add more queries to your account
- maxmindID - Unique identifier, used to reference
transactions when reporting fraudulent activity back
to MaxMind. This reporting will help MaxMind improve
its service to you and will enable a planned feature
to customize the fraud scoring formula based on your
chargeback history.
- err string - Returns an error string with a warning
message or a reason why the request failed. List of
possible error strings.
back to the top
What do the Maxmind service outputs
stand for?
Risk Score Information
score - This field displays a risk
score that ranges from 0-10 where a score of zero is
low risk and a score of ten is high risk. The risk score
is calculated using many but not all of the data fields
addressed below. For the majority of orders, the risk
score tapers off at either end of the 0-10 spectrum.
Finding the magic threshold number may take some experimenting
since different businesses have their own unique customer
bases as well as different tolerance levels for risk.
Generally speaking, for Business-to-Business (B2B) environments,
we recommend that orders with a risk score of 2.5 or
above be flagged for review. For Business-to-Consumer
(B2C) environments, the recommended risk score will
depend on the kind of e-mail address that the customer
uses. This will be explained in more detail in the e-mail
section.
The risk score can also be customized since we output
all the raw information as part of the output string.
To customize how the fraud score is calculated, one
would modify the formula we use to calculate the risk
score, and using the outputs returned by the minFraud
service as inputs for the modified formula.
IP Address Information
countryMatch - This field determines
whether or not the customer's country location based
on their IP address matches their billing address country.
For the majority of orders, the customer's IP country
should match the corresponding country of the billing
address. In some cases, a legitimate order may result
in a mismatch. Usually, this results from customers
who are making purchases while they are traveling or
if a company has office branches in different countries.
How you handle a country mismatch should be dependent
on your specific customer base or the context of the
particular order. For example, if you sell pre-charged
phone cards, you may have more orders with mismatches
since travelers often purchase such products while traveling.
If you sell computer parts, it would be less likely
that someone would be making a purchase while traveling.
A positive countryMatch does not mean that an order
is legitimate, as fraudsters have been known to use
proxies or anonymizing services as a way of creating
a country match for the IP address and billing address.
A negative countryMatch does not mean that an order
is fraudulent but the order should warrant further review.
If there is a negative countryMatch, it is recommended
to check where the user is actually making a purchase
from by looking at the other IP address fields. For
example, a customer making a purchase from the United
Kingdom will generally be less risky than one from Nigeria.
Accuracy for countryMatch is around 99%.
countryCode - This field displays the
country code of the customer's IP address country. This
field should be examined if there is a negative countryMatch.
A country code of US(United States) is generally less
risky than, for example, GH (Ghana). However, risk levels
would again depend on your typical customer base and
the context of the order. In addition, a negative countryMatch
of a France IP address and a Belgium billing address
is less risky due to the proximity of the two countries
in most situations. The distance between IP and billing
addresses is expressed through the "distance"
field.
This field can also be used to automatically flag, limit,
or block orders from certain countries. For example,
if you primarily serve only customers from Spain and
do not want to sell orders placed from other countries,
you can use the country code "ES" as a filter.
MaxMind uses an extended ISO-3166 Country Code.
highRiskCountry - This field determines
if the transaction's billing address or IP address is
located in a country that MaxMind has flagged as high
risk. A positive matches means that either the IP address
or billing address is located in Egypt(EG), Ghana(GH),
Indonesia(ID), Lebanon(LB), Macedonia(MK), Morocco(MA),
Nigeria(NG), Pakistan(PK), Romania(RO), Serbia and Montenegro(CS),
Ukraine(UA), or Vietnam(VN).
Please note that these countries were not flagged randomly
because of the perceived risks of accepting orders from
these countries. These countries were flagged because,
statistically, the majority of the transactions on the
minFraud Network placed from those countries were fraudulent.
Countries may be added or removed based on our analysis
of the orders being placed on the minFraud Network.
There are other countries where many fraudulent transactions
stem, but, we will typically not mark a country as high
risk if there are also a large number of legitimate
transactions coming from that country.
This field will directly affect the risk score. If you
do cater to customers from the countries listed as high
risk, you can customize your own risk score model so
that this field would not trigger a higher score. Obviously,
if your shop caters to customers within these countries,
this field may create many false positives and should
be modified. Consider the risks and context of your
customer base before considering making a change to
this field.
Distance - This field expresses the
distance between the IP address and the billing address
in kilometers (1 kilometer = 0.6214 mile). The distance
can provide additional information for situations where
there is a positive and negative countryMatch as indicated
above. Generally, an increase in distance means an increase
in risk. However, smaller distances doesn't automatically
legitimize an order. Fraudsters have been seen to make
use of proxies located in close proximity to the billing
address. In some cases, sophisticated carders will even
use proxies that are located in the same city as the
billing city, in which case, the distance would be close
to zero. Use this field in conjunction with the other
fields. This field also directly affects the risk score
(larger distance = higher risk score). For B2B and some
B2C transactions, the distance field will not always
make sense at first since the customer may be connecting
through a corporate proxy. Corporate proxies will be
discussed more in the "ip_organization" section.
ip_region - If the ip_region matches
the billing region, the risk is likely lower if there
is no indication that a proxy has been used. If it does
not match, you should check the distance field.
ip_city - If the ip_city matches the
billing city, the risk is likely lower if there is no
indication that a proxy has been used. If it does not
match, you should check the distance field.
ip_latitude - This field provides the
latitude of the IP address location.
ip_longitude - This field provides
the longitude of the IP address location.
Note: We also provide ip_region, ip_city, ip_latitude,
ip_longitude etc, for contextual information so the
end client can match up the city with additional location
information besides the billing location. This is also
useful if we can't recognize the billing city and return
a CITY_NOT_FOUND error.
ip_isp - This field provides the name
of the Internet Service Provider (ISP) that the customer's
IP address was allocated to. In many cases, knowing
the ISP can provide additional insight. For example,
some ISPs route their user traffic through proxies.
As a result, hundreds or even thousands of users can
share the same IP address. For example, users from California
and New York can be sharing the same IP address. As
a result, IP geolocation is not as effective. The most
well known ISP that does this is AOL. Generally, we
will blank out the associated location fields for ISPs
that route traffic in this manner. For example, only
the IP address country field will be available for AOL
address. Fraudsters know that using ISPs like AOL can
blur and disable IP geolocation tools and that is one
of the reasons why it has been a popular medium for
making fraudulent orders.
While there are still many users that use AOL, transactions
that come from AOL IP addresses (not necessarily aol.com
e-mail) for B2B transactions are very high risk. Many
AOL IP addresses used for B2B purchases logged within
the minFraud Network were fraudulent. Typically, established
businesses will not be using AOL as their Internet Service
Provider since AOL pre-dominantly caters to consumers.
Important: If the ISP field shows the name of a hosting
provider, the transaction should be flagged for further
review. Having a hosting provider in the ip_isp field
means that the customer making the purchase is connecting
to a server provided by a hosting provider with his
existing Internet connection before connecting to the
e-commerce site. It is likely that a fraudster leased
or hijacked the server as a way of bypassing geolocation
controls. If the server is based in the US, IP geolocation
lookups will likely identify the transaction as coming
from the US or wherever the server is physically located.
Most of the transactions that have identified within
the minFraud Network that are coming from hosting providers
have been fraudulent. To know if the ISP is a hosting
provider, you can search the ISP name with one of the
popular search engines. Visit the site. It should be
fairly apparent if the ISP is a hosting provider. Make
sure not to confuse a hosting provider from an actual
ISP. An example of a hosting provider is "Verio"
whereas an example of an ISP is "AOL".
The ISP can also determine how different IP addresses
should be handled. Some merchants will block certain
IP addresses or ranges if they sense fraud or receive
a chargeback from those IP addresses. Merchants that
utilize this strategy should be aware that different
ISPs have different ways of handling their allocation
assignments. For example, Comcast IP addresses are relatively
static and do not change very frequently (every 30-90
days). On the hand, ISPs like AOL and SBC cycle their
IP addresses more frequently. For AOL dial-up, every
time someone connects, he is assigned a different IP
address while SBC cycles their IP address every few
days. As a result, blocking specific IP addresses may
result in blocking of legitimate orders in the future
once the IP address has been reassigned or re-allocated.
ip_org - This field provides the name
of the organization or company that the IP address has
been allocated to. Knowing this information can provide
some additional insight for dealing with legitimate
and suspicious orders. Like with ip_isp, if the ip_org
field displays the name of a hosting provider, the transaction
would be suspicious and warrants further review.
Additionally, looking at this field may also provide
insight for orders that may seem suspicious at first
but are really legitimate. For example, if there are
many orders with multiple billing addresses coming from
the same IP address, it may seem like a suspicious batch
of orders. Many merchants may flag that IP address as
a proxy and block any other orders from that IP address.
A closer look at the ip_org output may provide an explanation.
If the ip_org is assigned to a large company, it is
likely that the customer is connecting through some
type of corporate proxy or using a computer from one
of the office branches. As a result, the various customers
connecting through the corporate proxy would share the
same IP address but the billing addresses being used
may be very different. For example, XYZ corporation
may have offices in New York, California, and Florida
where the all of the company's traffic is routed through
a corporate proxy. The corporate proxy IP address would
then potentially have orders associated with it with
billing addresses from various parts of the country.
The same case can be applied to IP addresses that have
been allocated to universities who will tend to route
outbound traffic through a few IP addresses. Since many
students will send their statements to their home address,
this will explain the difference in billing addresses.
Many large universities will have a national/global
student base.
It is entirely possible that a fraudster can somehow
hack their way into a corporate proxy or an university
IP address which could explain the various billing addresses
in the scenarios posed above. However, large companies
and universities generally have fairly good security
in place so the outbound IP addresses are not very likely
to be hijacked by fraudsters.
Proxy Detection
anonymousProxy - This field verifies
whether or not an IP address has been marked as an anonymous
proxy. Anonymous proxies are servers set up by the server's
owner to provide “legitimate” anonymizing services.
Examples of anonymous proxies include services provided
by anonymizer.com and Tor. Anonymous proxies will be
represented in the "countryCode" field as
"A1" while the associated region and city
fields will be blanked out to prevent false positives.
We do this because the user of that IP address can technically
be coming from anywhere around the world and providing
the location of the server hosting the anonymizing service
provides little useful information. Anonymous proxies
are used legally by customers who are concerned about
their online privacy. However, they are also used by
fraudsters who understand the effects these proxies
have on circumventing IP geolocation controls. Anonymous
proxies essentially disable and prevent the use of IP
geolocation tools. Orders placed from anonymous proxies
are considered to be high risk. We recommend that merchants
either do not accept orders from anonymous proxies or
process those orders with extra care. A positive anonymousProxy
match will directly affect the risk score.
proxyScore - This field provides a
score that can be used to evaluate the riskiness of
the IP address that was used on the online transaction.
The proxyScore deals more with open proxies. Open proxies
are compromised or hijacked computers/servers that have
been hacked or infected with trojans and/or viruses,
which allow users to connect to those computers without
the computer owner's knowledge. In effect, it allows
fraudsters to simulate that they are making a transaction
from that specific computer. Unlike anonymous proxies
that evade IP geolocation controls by blurring the resolution,
open proxies bypass IP geolocation by spoofing the location
of where the transaction is coming from. For example,
a fraudster can find a compromised computer located
in the same general area as his stolen credit card's
billing address so that there will be a IP address and
billing location match. The proxyScore will directly
affect the overall risk score.
Please Note: while the score range is between 0-10,
the numeric value does not translate to a direct percentage
likelihood of the IP address being a proxy. For example,
a proxy score of 3.0 does not mean that there is 30%
chance that the IP address is an open proxy. In fact,
a 3.0 proxy score or above signifies that the order
is 90% likely to be fraudulent. Please see the following
data:
Proxy Score Fraud Likelihood
0.5 = 15%
1.0 = 30%
2.0 = 60%
3.0 or higher = 90%
IP addresses that have been marked with a proxy score
of 3.0 or above have at some point been manually reviewed
by MaxMind. As a result, if a transaction receives a
proxy score of 3.0 or above, the likelihood that the
transaction is fraudulent is very high. Since open proxies
are more dynamic and harder to detect, the proxyScore
should have high importance in your processing decisions.
Orders with "high" proxyScore should be flagged
for review even if the IP address matches the billing
address. The proxyScore in many cases would reverse
any positive indicators that IP geolocation tools may
have provided about the transaction.
Different factors and variables are considered when
generating the proxyScore. The most common instances
where an IP address may generate a high proxyScore is
if there is 1) increased and inconsistent activities
2) associations with previous suspicious activities
or chargebacks. Unfortunately, we are not able to go
into more detail about how our proxyScore is generated.
There are no good reasons why someone should be making
a purchase from an open proxy unless the person making
the purchase is actually the owner the of the computer,
the coincidence being highly unlikely. In most countries,
connecting to or taking control of someone else's computer
without their permission is illegal. People concerned
with privacy should be using anonymizing services which
are legal and not open proxies which are illegal.
If you are customizing your own risk model, we highly
recommend that the proxyScore be given a heavy weight.
We consider proxyScore to be one of the best direct
indicators of fraud within the minFraud service. The
proxyScore is an additional layer of defense against
carders who are sophisticated enough to bypass IP geolocation
or any of the other checks within our system. We did
some statistical analysis of the actual fraudulent orders
(not perceived) placed through the minFraud Network
and have the following results:
Statistics of Where Fraud Comes From Within the minFraud
Network
32% High Risk Countries
21% Country Mismatch
6% Anonymous Proxies
4% Satellite Providers
26% Open Proxies
11% Not Detected
Please note that you should not worry
if you are not seeing these kind of statistics for you
specific site. The numbers above represents the aggregate
of fraudulent transactions placed in the minFraud Network.
Different sites may attract different kinds of fraudsters
who may have different levels of sophistication. More
sophisticated fraudsters tend to use open proxies as
oppose to anonymous proxies because they are dynamic
and harder to detect. According to our analysis, the
minFraud service should be able to help merchants detect
an estimated 89% of stolen card fraud. In fact, many
clients have seen higher detection rates. If you are
seeing detection rates that are not even close to 89%,
you should consider re-evaluating your order process
cycle as well as how you are utilizing and interpreting
the minFraud data.
isTransProxy - This field determines
whether the forwardedIP address is in our database of
known transparent proxy servers. Transparent proxies
are proxies that do not fully anonymize the details
of the end user that is connecting to the transparent
proxy. Many transparent proxies will also pass on the
IP address of the end user that is connecting to the
proxy. For example, if the forwardedIP is an open proxy,
then the transaction would be riskier even if the transparent
proxy looked legitimate.
E-mail and Login Checks
freeMail - This field checks if the
e-mail domain used by the customer is from a free e-mail
provider. Examples of free e-mail providers include
the following: Yahoo.com, Gmail.com, and MSN.com. The
MaxMind system currently has categorized 31,000 free
e-mail domain providers around the world. In terms of
how to handle free e-mail providers, the discussion
will be broken up into the following two categories:
Business-to-Business (B2B) and Business-to-Consumer
(B2C).
B2C - While the adoption of free e-mail addresses is
very high, orders coming from free e-mail domains are
inherently more risky. The reason is that free e-mail
accounts can easily be created or recycled and cannot
be traced back the rightful owner which is exactly why
fraudsters prefer them. With the current minFraud risk
model, e-mail domains from free e-mail providers will
automatically increase the risk score by 2.5. If free
e-mails are not a concern for you, you can write code
that will subtract 2.5 from the risk score or you can
completely customize the risk model and give your own
weight to certain parameters. We recommend that you
continue passing the domain field because we perform
checks on domains on the back-end and may mark certain
domains as high risk which will indirectly affect the
other output fields like the proxyscore. From statistical
analysis of transactions within the minFraud Network,
free e-mail addresses double the likelihood that a transaction
would be fraudulent. For example, if a typical transaction
has a 1% likelihood of being fraudulent, then the same
order placed with a free e-mail address will have a
2% likelihood of being fraudulent.
B2B - For B2B transaction, free e-mail domains should
warrant additional review. While the use of free e-mail
is relatively common, most established e-commerce sites
should have an e-mail domain that is associated with
their e-commerce site. Free e-mails for B2B transactions
are higher risk. If the customer is not using a free
e-mail address and the order looks slightly suspicious,
it would be wise to perform a quick whois lookup on
the domain or search Google for the domain. Whois lookup
will tell you if the domain was recently registered
while the Google search should generate some reference
points if the customer's business is an established
one. If it is a new business, see if the customer has
previous sites or domains that you can review.
carderEmail - This field checks if
the customer's e-mail address has been associated with
previous fraudulent orders or chargebacks within the
network. Fraudsters will often re-use the same e-mail
address to reduce overhead and simplify the number of
e-mail accounts they have to manage. If there is a carderEmail
match then that increase the riskiness of the associated
transaction(s).
highRiskUsername - This field checks
if the customer's Username has been associated with
previous fraudulent or suspicious activity within the
network. Like the situation with carderEmail, carders
will often use the same username and/or password across
various networks, to simplify what they need to remember.
highRiskPassword - This field checks if the customer's
password has been associated with previous fraudulent
or suspicious activity within the network.
Issuing Bank BIN Number Checks
binMatch - This field checks to see
if the billing address matches the country of the issuing
bank. It is unlikely and rare for a person to have their
billing address country differ from their issuing bank's
country. Having a positive binMatch does not necessarily
mean that a transaction is legitimate. Fraudsters have
been known to have access to limited and incomplete
BIN lists and will select cards that will match up accordingly.
MaxMind uses a self-developed BIN database and the accuracy
for binMatch is around 99%.
binCountry - The field outputs the
country code of the submitted BIN. This field will be
present for Premium minFraud queries or if there is
a positive binMatch. Knowing where the issuing bank
is located can provide more information for making your
decision. For example, generally, the risk of a transaction
is higher for credit cards issued in a developing country
than one from a developed country.
binNameMatch - This field determines
whether name of issuing bank matches inputted binName.
A return value of Yes provides a positive indication
that card holder is in possession of credit card. This
field is only active if you are requesting your customer
to input the name of the issuing bank.
binName - This field displays the name
of the bank which issued the credit card based on BIN
number. Available for approximately 96% of BIN numbers,
this field is only available for Premium minFraud queries.
binPhoneMatch - This field determines
whether the number of the issuing bank matches the inputted
binPhone. A return value of Yes provides a positive
indication that card holder is in possession of credit
card. This field is only active if you are requesting
your customer to input the customer service number.
binPhone -This field displays the phone
number of the bank which issued the credit card. Available
for approximately 75% of BIN numbers, this field is
only available for Premium minFraud queries.
Address and Phone Number Checks
custPhoneInBillingLoc - This field
checks whether the customer phone number is located
in the billing zip code. Currently, this field only
supports US phone numbers. A return value of “Yes” provides
a confirmation that the phone number listed is located
within the same area as the card holder. A return value
of No indicates that the phone number may be in a different
area, or may not be listed in our database. For example,
someone who is using a cell phone may have a completely
different prefix or local number exchange than what
would match up against his billing zip code. This field
should be used as secondary support data and decisions
should not be based solely on this field. Fraudsters
have been known to purchase VoIP numbers so that the
prefix and local exchange of the number will match with
the zip code listed on the billing address.
shipForward - This field checks to
see if the shipping address listed for the order is
in our database of known mail drops. Many e-commerce
merchants will not ship abroad due to the risks involved.
As a result, fraudsters will often use mail forwarding
services. This field should be examined in conjunction
with the other fields. A shipping address to a known
mail drop does not mean the order is fraudulent since
mail forwarding services do serve legitimate transactions
as well. However, orders with a positive ShipForward
match is more risky because the product is not necessarily
being shipped or to the given billing address in the
end.
cityPostalMatch / shipCityPostalMatch –
This field checks whether the city and state portion
of the billing address match up with the zip code of
the billing address. Currently, this feature is only
available for US addresses. The Address Verification
Service (AVS) only checks to see if the zip code matches
the numeric portion of the street address. In order
to save time while testing stolen cards, some fraudsters
will type in bogus values (e.g. "asdf") since
they know that AVS only matches the street address to
zip code. Generally, when fraudsters are inputting fake
or blank data for region or city fields, they know the
order will not go through but are trying to test whether
or not the credit card is alive and checking the credit
limit available on the card. While that does not necessary
pose a risk to your site, it poses a risk to other sites
that those tested cards will likely be used against.
However, it may increase your gateway/processing fees.
back to the top
What is the "score"?
This field displays a risk score that ranges
from 0-10 where a score of zero is low risk and a score
of ten is high risk. The risk score is calculated using
many but not all of the data fields addressed below.
For the majority of orders, the risk score tapers off
at either end of the 0-10 spectrum. Finding the magic
threshold number may take some experimenting since different
businesses have their own unique customer bases as well
as different tolerance levels for risk. Generally speaking,
for Business-to-Business (B2B) environments, we recommend
that orders with a risk score of 2.5 or above be flagged
for review. For Business-to-Consumer (B2C) environments,
the recommended risk score will depend on the kind of
e-mail address that the customer uses. This will be
explained in more detail in the e-mail section.
back to the top
What is the "risk score"?
The risk Score field ranges from 0 to 100,
to help give a clearer, percentage-based idea of how
risky a given order may be. For example, an order with
a score of 20 has a 20% likelihood of being fraudulent.
back to the top
Security
If I am paying
by credit card, how do I know my details will be transmitted
securely?
All credit card transactions are handled under
128 bit SSL (Secure Sockets Layer), so you will be able
to make your purchase with confidence.
back
to the top
If I am paying
via Paypal, how do I know my details will be transmitted
securely?
At the stage of the registration process when your Paypal
details are required, you will be taken to their 128
bit securely encrypted site, where you will be able
to make your purchase with confidence.
back
to the top
|
