PayPal Community

me_dev · ‎Jun-05-2010

I have a website where people buy and sell custom made software online. Nothing is physically shipped to the Buyer. Let's consider a situation for an example, where a Buyer gets some custom software done, pays using Paypal, downloads the software from the website and later after few days, files a Dispute/Chargeback falsely stating that it was not him who made the payment (or state that he did not receive any software or any other reason)

In this case:

1. How can I, as the website owner (& on behalf of other sellers working through my website), contest this chargeback?

2. How can Paypal help me in resolving the situation?

3. We will be having all proof of correspondence online, like chat logs, conversations in private messaging, etc. available online in the website. Will this be of any help at all?

4. What can be done to make sure that Buyer is genuine when he tries to make the payment in my website?

5. What will Paypal really do when they receive such a complaint?

6. Will selling software through my website, be eligible for the Seller protection?

Looking forward for replies.

Thank you.

surplusdealdude · ‎Jun-08-2010

Okay, lets start from the beginning.

Police will tell you that no security system or lock is foolproof - if the burglar is determined to break into your house, he'll find a way. What locks and alarms do is raise the threat of detection so that the crook goes and finds an easier target.

In the same way, you can never be perfectly safe. The idea is to put enough roadblocks in the way to dissuade people from making the attempt at running a scam.

There may not be a one-size-fits-all solution, either. The level of security you'll want for a $200 purchase may be inadequate for a $40,000 purchase. The level of security required for a $40,000 purchase may be overkill for a $200 purchase.

The first thing you may have to do is evaluate the risks of a scam at different money levels. If the risk above $50,000 is that your company will close because it can't take the hit, then perhaps you should insist on a bank wire transfer instead of a credit card. If the customer balks, he can go somewhere else, he either trusts you or he doesn't.

If the risk at $25,000- $50,000 is that it will hurt, but you'll survive, you may insist on a credit check first ( reasonable, under the circumstances). You may insist that the customer call you from a landline at the computer where he will be downloading or have some other high-security verification system. OR you might take out insurance on the transaction - moneybookers dot com ( a service similar to Paypal) charges 12% for chargeback protection - a steep price, but possibly worth it in some cases.

And so on - as the risk lessens, so do the precautions. At $200, you might just write it off as long as there aren't too many.

The vast majority of users will not scam you, but i know that it does happen. You want to show prospective scammers that you've done your homework and you're ready to nail them if it comes to that - that will dissuade them. So you use proven security measures and advertise them as high security, like the security questions and so on.

We'll go through your example steo-by-step;

Let's say that genuine Buyer wants to get the software done & he discusses this proposal with a friend of his. His friend suggests my website and also gives him an idea to get the work done and file a chargeback once it is done.

So the buyer is an inexperienced scammer - he's going to make mistakes that you can catch.

So now he operates away from his home (lets say kinkos just to get this software done) and uses his own information.

Can you build in a protection to identify Kinko's sites or other public sites from the IP address and deny a secure account if the address at the Kinko's does not match the address he's giving ( like the charge cards do)? He will have to use his real address or the charge on the card will not go through.

He even order the software gets it done, downloads the software, pays and just disappears for about 2 weeks. After 2 weeks, he files a (false) chargeback either with CC company / Paypal stating that he does know how the charges appeared and disputes it

If you have a secure account that only allows downloading to a computer registered at his home address, that will be tough for him to prove;

He can't claim that someone stole his charge card info, because your records say that he downloaded to his computer.

He can't say his kid did it because he'd be liable under the law anyways and the story is implausible bacuse kids don't order that type of software.

He has had the provable benefit of the download, the program is on his computer, so the chargeback should be denied.

If that's not enough security for you, then require him, at that level of purchse, to use a debit card ( which cannot be charged back once the funds have been settled - takes a few days) or pay the money by bank wire transfer, which cannot be reversed.

me_dev · ‎Jun-08-2010

1. Payments < 100 If the risk above $50,000 is that your company will close because it can't take the hit, then perhaps you should insist on a bank wire transfer instead of a credit card. If the customer balks, he can go somewhere else, he either trusts you or he doesn't.

This really sounds like a very good solution. Appreciate for such input!

You want to show prospective scammers that you've done your homework and you're ready to nail them if it comes to that - that will dissuade them.

Exactly!

So the buyer is an inexperienced scammer - he's going to make mistakes that you can catch.

Sounds like that. But remember, he has his friend as guide and this friend may be expecting a percentage cut when the Buyer succeeds in doing the fraud. So to succeed in this, he has all the support from his friend. That's the problem. You may have some experienced scammer guiding the inexperienced ones.

Can you build in a protection to identify Kinko's sites or other public sites from the IP address

This does not seem possible. We cannot identify what IP a Kinko's kiosk might be carrying at the time a Buyer is accessing our website. I am not sure what you mean by identify kinko's sites. Maybe if you can throw more light on that, I will be able to explain it better.

and deny a secure account if the address at the Kinko's does not match the address he's giving ( like the charge cards do)?

Well if we are permitting the Buyer to be able to download from the same computer as he signed in the first place & assuming that the IP of the system is the same as the one that he used while signing up for the account, then in this case, now since the IPs are same, he will be considered as a valid user and he will be able to download the software. Now he can go back to his home and wait for 2 weeks and file a false chargeback stating that he never used it in first place. I will definitely want to nail this guy down. What to do in this case?

He will have to use his real address or the charge on the card will not go through.

He is a genuine Buyer in the first place, remember? He knows all his details so he will use everything correctly. Once the work is done, he may file a false chargeback considering identity theft and such. Again, although our system sounds effective, what to do in this case?

If you have a secure account that only allows downloading to a computer registered at his home address, that will be tough for him to prove;

You are right here. But remember that he signed up from Kinko's and considering that we assume that it was his home computer, he will be allowed to download the software. Unfortunately, we might be able to prevent the person himself but not his intent if he appears to be genuine but is not at the end. So this is the main problem here and I definitely do not want to make an exception and catch such crooks. Because of few such Buyers, the rest suffer and I don't want that to happen to the good ones.

He can't claim that someone stole his charge card info, because your records say that he downloaded to his computer.

Yes, but remember that Kinko's terminal is not his home PC (& he signed up for his account and download the software from Kinko's terminal). So he can claim that his home IP is different from Kinko's IP and he will most likely win if only IP's are taken into consideration. What can be done to stop this or effectively combat this one, if it ever happens.

He can't say his kid did it because he'd be liable under the law anyways and the story is implausible bacuse kids don't order that type of software.

That's very true.

He has had the provable benefit of the download, the program is on his computer, so the chargeback should be denied.

Not if he has been using Kinko's terminal all the time. Again, he can claim that his home IP is different from Kinko's IP and he will most likely win if only IP's are taken into consideration.

If that's not enough security for you, then require him, at that level of purchse, to use a debit card ( which cannot be charged back once the funds have been settled - takes a few days) or pay the money by bank wire transfer, which cannot be reversed.

These methods sound really nice, considering that a chargeback cannot be filed. I will definitely implement this. Thank you for suggesting such an awesome idea.

I did not really knew that bank wire transfers & debit cards cannot be reversed nor a chargeback can be filed. What if I start accepting only bank wire transfers? Do you think that will secure me good enough for all transactions? I am hoping so. How will I know when a user is using Credit card & when they are using a Debit card?

Please let me know.

Thank you so much.

surplusdealdude · ‎Jun-09-2010

So the buyer is an inexperienced scammer - he's going to make mistakes that you can catch.

Sounds like that. But remember, he has his friend as guide and this friend may be expecting a percentage cut when the Buyer succeeds in doing the fraud. So to succeed in this, he has all the support from his friend. That's the problem. You may have some experienced scammer guiding the inexperienced ones.

Possibly, but unlikely. The friend providing the guide would be making himself an accessory to grand theft and conspiracy. That's serious jail time. Then you have RWO people instead of one getting bervous and the friend doesn't stand anything to gain.

Can you build in a protection to identify Kinko's sites or other public sites from the IP address

This does not seem possible. We cannot identify what IP a Kinko's kiosk might be carrying at the time a Buyer is accessing our website. I am not sure what you mean by identify kinko's sites. Maybe if you can throw more light on that, I will be able to explain it better.

Can you identify from the IP, from the url, from some element in the program where the user is physically when they access your website?

Something like this?

http://www.ip2location.com/free.asp

It's a way to confirm that someone is either at their personal computer at home ( where their credit card says their registered address is) or somewhere else.

If they're somewhere else, they may be using a laptop ( I don't know if the IP remains constant when they move or not) or they may be a scammer working with a stolen Credit card or our mythical evil customer.

and deny a secure account if the address at the Kinko's does not match the address he's giving ( like the charge cards do)?

Well if we are permitting the Buyer to be able to download from the same computer as he signed in the first place & assuming that the IP of the system is the same as the one that he used while signing up for the account, then in this case, now since the IPs are same, he will be considered as a valid user and he will be able to download the software. Now he can go back to his home and wait for 2 weeks and file a false chargeback stating that he never used it in first place. I will definitely want to nail this guy down. What to do in this case?

In my example, using the app in the link above, he would be denied a secure account because his stated location doesn't match the location hos credit card information says he's at.

He will have to use his real address or the charge on the card will not go through.

He is a genuine Buyer in the first place, remember? He knows all his details so he will use everything correctly. Once the work is done, he may file a false chargeback considering identity theft and such. Again, although our system sounds effective, what to do in this case?

No.

Using the app in the link above, you've caught him in a lie - he isn't where he says he is. He doesn't get a secure account until he registers for one from his home address.

This 'secure' account can be as diligent as you want to make it. You want to be demonstrating that you've done your homework and that the evil buyer cannot outwit the system. The more diligent the system, the more likely that evil buyers, who are nervous anyway, are going to forget about it.

If you have a secure account that only allows downloading to a computer registered at his home address, that will be tough for him to prove;

You are right here. But remember that he signed up from Kinko's and considering that we assume that it was his home computer, he will be allowed to download the software.

With the app above, you don't have to assume it's his home computer - you'll know if it is or not.

Even if he's using a laptop and the laptop's IP does not change, you've shown that it's a laptop that is registered to his home address. That should be enough to show that the information was downloaded to HIS computer and defeat a chargeback.

He can't claim that someone stole his charge card info, because your records say that he downloaded to his computer.

Yes, but remember that Kinko's terminal is not his home PC (& he signed up for his account and download the software from Kinko's terminal). So he can claim that his home IP is different from Kinko's IP and he will most likely win if only IP's are taken into consideration. What can be done to stop this or effectively combat this one, if it ever happens.

As above, the app in the link will show that it isn't his home IP. He never gets the secure account in the first place and, without the secure account, he can't download and defraud.

He has had the provable benefit of the download, the program is on his computer, so the chargeback should be denied.

Not if he has been using Kinko's terminal all the time. Again, he can claim that his home IP is different from Kinko's IP and he will most likely win if only IP's are taken into consideration.

See above for why that doesn't work.

I did not really knew that bank wire transfers & debit cards cannot be reversed nor a chargeback can be filed. What if I start accepting only bank wire transfers? Do you think that will secure me good enough for all transactions?

Bank wire transfers would be safe for all transactions - they can't be reversed at all. But they're cumbersome to arrange and they cost about $40 to send - there's a charge for receiving them as well. However, you can overcome that by paying those charges for the customer - it would be cheaper than the charge that moneybookers charges for chargeback protection. On higher-value transactions it would be the way to go, I think. On lower-value transactions, it might be overkill - you could require debit cards and a waiting period for that.

How will I know when a user is using Credit card & when they are using a Debit card?

Don't take Paypal, for one thing - use merchant banking and set it up with your bank that you ONLY accept debit cards.

The downside of this will be that you'll lose some sales because customers are using their credit cards to provide a financing option for the software. They'll have to arrange bank loans instead. Some won't.

me_dev · ‎Jun-10-2010

That's serious jail time.

That is so true.

Can you identify from the IP, from the url, from some element in the program where the user is physically when they access your website?

I will look into this.

It's a way to confirm that someone is either at their personal computer at home ( where their credit card says their registered address is) or somewhere else.

The link to the app. that you have given, does not reveal the complete address but can help us in case of legal action. Let's say that the address registered with the credit card carries the home address of the user and we are able to identify that whether the user is accessing the website from home or not. If the user is genuine and trying to access the website from office or Kinko's, should we really deny them the access to their account? If yes, then that would mean that the user will never be able to access it from anywhere else. But consider this. Maybe the user does not have a PC/internet connection at home or does not spend time on business activities at home (few possibilities how Buyers behave in this stream). Do you think this method would really work in this case?

In my example, using the app in the link above, he would be denied a secure account because his stated location doesn't match the location hos credit card information says he's at.

Using the app in the link above, you've caught him in a lie - he isn't where he says he is. He doesn't get a secure account until he registers for one from his home address.

That's very nice of you to be able to provide source of such app. If you have tried the app. already, you will notice it does not show the physical address of the IP i.e. house number + street name & we need that to match it up with the address on the credit card. Although the IP gives a good idea about the location of the user, it does not provide the complete address i.e. house number + street name as well. Since these details are missing, it makes tough on us to take a decision whether to allow or to deny access. Does that make sense?

Regarding an IP: An IP does not necessarily be the same for a user, even if he is working from home, unless it is a static IP. Otherwise IP can change on every reconnect (meaning you shutdown you system, start it, connect to internet or wake PC from sleep mode, connect to internet ). So as you can see, there is a lot of uncertainty that the user will get the same IP on reconnect or whenever he connects to the internet.

Bank wire transfers would be safe for all transactions - they can't be reversed at all.

Sounds very good!

On higher-value transactions it would be the way to go, I think. On lower-value transactions, it might be overkill - you could require debit cards and a waiting period for that.

Sounds good too. If they have to wait till a payment from a debit card is made, then they have to wait.

The downside of this will be that you'll lose some sales because customers are using their credit cards to provide a financing option for the software.

That's true. But I guess, for now, it will be worth it to provide quality service for genuine users. Letting users accept credit card seems to be the root of all evil. I guess even sellers would agree with me knowing the level of protection it offers considering the non-acceptance of the credit card. If I accept credit cards, then I am going to have even strict rules in place.

surplusdealdude · ‎Jun-10-2010

If the user is genuine and trying to access the website from office or Kinko's, should we really deny them the access to their account?

Well, depending on the amount involved, you might create a payment option for the buyer to wire transfer the money, then you don't care where he works from. That might also be a workable solution in the case you mentioned where multiple downloads to multiple locations are required.

You can construct any number of specialized payment plans that you like.

Maybe the user does not have a PC/internet connection at home or does not spend time on business activities at home

I would wonder how prevalent this is and whether you want to deal with these customers, then. You don't have to swing at every pitch.

If you have tried the app. already, you will notice it does not show the physical address of the IP i.e. house number + street name & we need that to match it up with the address on the credit card.

I didn't try the app - I just grabbed it as an example.

Too bad - it would have solved a bunch of issues.

I like the combination of wire transfers for large amounts and debit cards for small amounts - it's the best idea so far.

By the way, double-check with your bank on how long you should wait before a debit card payment can be considered non-cancellable.

If the customer is in a hurry with a smaller amount, they could always wire transfer the funds or even send the money by Western Union Instant money transfer - that's non-cancellable as well.

me_dev · ‎Jun-12-2010

Hi surplusdealdude,

Sorry, had to rush out of town. Could not reply back to you.

Yes, I like the combination of wire transfers for large amounts and debit cards for small amounts too. I believe that would save me a lot of pain in the future. Guess, I will also do some checking with my bank for the other details as you mentioned.

Thank you so, so much for all your helpful replies. Appreciate a ton!

surplusdealdude · ‎Jun-12-2010

You're welcome. Good luck.

PayPal Community

Business protection

Haven't Found your Answer?