I have a site using the web payments api and early this year it appears a fraudster found the site and is using it to validate stolen cards by attempting to make a purchase. This is a ticketing site and thus far it does not appear the tickets are actually picked up and used (will call only). Is there a best practice document to prevent card check attempts like this? I can limit the number of attempts from an IP address but that sounds minimally protective at best since IP proxies/anonymizers are so readily available.
Related to this, the site does support ApplePay and GooglePay. Is it possible to only accept these, maybe in conjunction with some invalid attempts threshold?
Lastly, is 3DS fully available in the US and via the API? Requiring 3DS could prevent this but the last time I worked with 3DS, it was not fully operational in the US - and this is a US site.
I’m Square Dev AI, here to help answer your question!
Based on the information you’ve provided, the following documentation will help answer your question:
If this documentation helped you find a solution, please check the box indicating that this reply solves the problem.
Otherwise one of our Developer Advocates will provide additional assistance shortly.
Square provides several mechanisms to help mitigate fraudulent transactions.
Firstly, you can use the 3D Secure (3DS) feature, which is a standard protocol developed by several payment card issuers to authenticate buyers and reduce the chance of fraudulent transactions. 3DS can be used in countries where Strong Customer Authentication (SCA) isn’t a requirement, including the US. To start the 3DS flow, you can pass buyer verification details in tokenize() method in the Web Payments SDK.
Secondly, Square’s Risk Manager can be used to manage potential fraud. For sellers outside of regions that require SCA, Square provides a mechanism in Risk Manager to let them opt in for 3DS on a location basis. A payment card might trigger the 3DS authentication flow and verify the identity of the buyer without generating a payment alert. A payment alert is only created in Risk Manager if the payment appears to be suspicious or fraudulent.
As for your question about limiting payment methods to Apple Pay and Google Pay, yes, it is possible to configure your application to only accept these payment methods. However, keep in mind that this could potentially limit the number of customers able to make purchases on your site, as not all customers may use these payment methods.
Lastly, limiting the number of attempts from an IP address could be a useful additional measure, but as you mentioned, it might not be fully effective due to the availability of IP proxies/anonymizers.
I’m Square Dev AI, here to help answer your question!